Skip to content

fix: add route-level authorization middleware to Phase 4 RBAC endpoints #165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 15, 2025
Merged

fix: add route-level authorization middleware to Phase 4 RBAC endpoints #165

merged 1 commit into from
Nov 15, 2025

Conversation

@kevalyq
Copy link
Contributor

@kevalyq kevalyq commented Nov 15, 2025
edited
Loading

Summary

Added route-level authorization middleware to Phase 4 RBAC endpoints (Role Management, Permission Management, and User Direct Permission Assignment).

Changes

  • Role Management API (5 routes): Added permission middleware for roles.read, roles.create, roles.update, roles.delete
  • Permission Management API (5 routes): Added permission middleware for permissions.read, permissions.create, permissions.update, permissions.delete
  • User Direct Permission Assignment (2 write routes): Added permission middleware for permissions.assign_direct and permissions.revoke_direct
  • User Permission View routes (2 read routes): Kept Policy-based authorization only (users can view own permissions without requiring permissions.read permission)

Authorization Architecture

  • Write operations: Route middleware (early rejection) + Policy (business logic) = Defense-in-depth
  • Read operations: Policy-based only for view-own routes (users can see their own permissions)
  • Admin operations: Full middleware + Policy protection

Tests

  • ✅ All 277 tests passing (1 skipped)
  • Fixed UserPermissionAssignmentApiTest.php to include required permissions in Admin role setup
  • RoleManagementApiTest.php and PermissionManagementApiTest.php already grant permissions per-test

Fixes #161

Copilot AI review requested due to automatic review settings November 15, 2025 12:37
@github-actions
Copy link

github-actions bot commented Nov 15, 2025

💡 Tip: Consider Using Draft PRs

Benefits of opening PRs as drafts initially:

  • 💰 Saves CI runtime and Copilot review credits
  • 🎯 Automatically sets linked issues to "🚧 In Progress" status
  • 🚀 Mark "Ready for review" when done to trigger full CI pipeline

How to convert:

  1. Click "Still in progress? Convert to draft" in the sidebar, OR
  2. Use gh pr ready when ready for review

This is just a friendly reminder - feel free to continue as is! 😊

Copilot finished reviewing on behalf of kevalyq November 15, 2025 12:40
@kevalyq
fix: add route-level authorization middleware to Phase 4 RBAC endpoints
1cd3889 
- Add permission middleware to Role Management CRUD (5 routes)
- Add permission middleware to Permission Management CRUD (5 routes)
- Add permission middleware to User Permission Assignment (4 routes)
- Follow Phase 3 pattern: route-level auth + policy (defense-in-depth)
- Consistent with Laravel best practices (early authorization)
- Use correct permission names from seeder (permissions.assign_direct, permissions.revoke_direct)

Fixes #161
@kevalyq kevalyq force-pushed the fix/add-route-level-rbac-middleware branch from c9d7622 to 1cd3889 Compare November 15, 2025 12:50
@kevalyq kevalyq merged commit 0fdd6c8 into main Nov 15, 2025
16 checks passed
@kevalyq kevalyq deleted the fix/add-route-level-rbac-middleware branch November 15, 2025 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add route-level authorization middleware to Phase 4 RBAC endpoints

2 participants

@kevalyq