feat: add flexible capability-based RBAC with per-tenant customization

Introduces a capability layer on top of existing roles that controls feature visibility and access. Capabilities follow an area.feature.action taxonomy (~35 capabilities) with sensible defaults per role. Tenant admins can customize via grant/revoke overrides stored in org settings JSONB. Key changes: - Add vice_president role to DB schema - Backend: capability constants, resolution logic, CapabilityGuard (global), @RequireCapability decorator on all 16 tenant controllers - Frontend: permission hooks (useCanEdit, useHasCapability), CapabilityGate component, sidebar filtering by capability, all 17 pages migrated from useIsReadOnly to capability-based checks - New admin UI: /settings/permissions matrix page for per-tenant role customization with grant/revoke delta model - GET /organizations/my-capabilities endpoint for capability refresh - Validation of permissionOverrides in settings updates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-06 15:28:14 -04:00
parent 5fec296569
commit 43b10869f0
55 changed files with 1351 additions and 86 deletions
--- a/backend/src/modules/reserve-components/reserve-components.controller.ts
+++ b/backend/src/modules/reserve-components/reserve-components.controller.ts
@@ -1,6 +1,7 @@
 import { Controller, Get, Post, Put, Body, Param, UseGuards } from '@nestjs/common';
 import { ApiTags, ApiBearerAuth } from '@nestjs/swagger';
 import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
+import { RequireCapability } from '../../common/decorators/capability.decorator';
 import { ReserveComponentsService } from './reserve-components.service';

@ApiTags('reserve-components')
@@ -11,14 +12,18 @@ export class ReserveComponentsController {
  constructor(private service: ReserveComponentsService) {}

  @Get()
+  @RequireCapability('planning.projects.view')
  findAll() { return this.service.findAll(); }

  @Get(':id')
+  @RequireCapability('planning.projects.view')
  findOne(@Param('id') id: string) { return this.service.findOne(id); }

  @Post()
+  @RequireCapability('planning.projects.edit')
  create(@Body() dto: any) { return this.service.create(dto); }

  @Put(':id')
+  @RequireCapability('planning.projects.edit')
  update(@Param('id') id: string, @Body() dto: any) { return this.service.update(id, dto); }
 }