Skip to content

feat(ai-autopilot): compose vike-rbac for roles/permissions#195

Merged
suleimansh merged 1 commit into
mainfrom
suleimansh/feat/194-vike-rbac-composer
Jul 4, 2026
Merged

feat(ai-autopilot): compose vike-rbac for roles/permissions#195
suleimansh merged 1 commit into
mainfrom
suleimansh/feat/194-vike-rbac-composer

Conversation

@suleimansh

Copy link
Copy Markdown
Member

The last authz gap in the composed stack. #191's crud composer teaches ad-hoc user.role === 'admin' checks (fine for signed-in-vs-not), but past that the vike-data way is can(user, permission) from vike-rbac — and without a persona the agent hand-rolls a roles/permissions schema + checker, the security-sensitive churn we compose to avoid. vike-rbac is also the guard subject vike-admin ("vike-auth resolves the user, vike-rbac enriches roles/permissions, the guard runs") and vike-actions (guard: (ctx) => can(ctx.user, 'posts.publish')) are built around. Same lever as before: a persona, no runtime change.

What changed

  • New vike-rbac-composer persona, wired into vikeExtensionPersonas between auth and crud (so crud/actions guards can delegate to it).
  • Teaches: declare permissions with definePermissions([{ name, roles }]) + extends: ['import:vike-rbac/config:default'] (self-installs vike-auth) + defaultRoles; one check everywhere via can() / hasRole() (route crud canView/canEdit, page guards, session scope, and vike-actions guards through it instead of ad-hoc role fields); seed from the registry with seedRbac() / assignRoles(); guarded RPCs via requirePermission(). Do NOT model the roles/permissions/role_user/permission_role tables by hand.
  • Unit test asserts definePermissions / can(user, permission) / seedRbac / no hand-rolled RBAC tables; vikeExtensionPersonas order updated.

API verification

Cross-checked against the real vike-rbac public API in vike-data (README + exports): definePermissions/can/hasRole from vike-rbac, import:vike-rbac/config:default + defaultRoles, seedRbac/assignRoles from vike-rbac/seed, requirePermission from vike-rbac/telefunc.

Notes

  • Scoping (from the discussion that surfaced this): vike-rbac is Tier-2 (worth composing for role-based apps); vike-i18n is confirmed optional (ships English inline, renders with no i18n runtime); notifications/storage stay in the as-needed tail.
  • Like the rest of the composed stack, vike-rbac is not on npm yet, so this is in-workspace-only until the extensions publish.
  • Tests: 265 pass, 0 fail. Typecheck clean.

Part of #186. Closes #194.

Add a vike-rbac-composer persona to vikeExtensionPersonas (between auth and
crud) so the composed build declares permissions with definePermissions and
routes every guard through can()/hasRole(), seeded from the registry with
seedRbac(), instead of hand-rolling a roles/permissions schema and checker.
vike-rbac is the guard subject vike-admin and vike-actions are built around.
No runtime change.

Closes #194.
@suleimansh suleimansh added enhancement New feature or request priority: high Should be addressed soon security Security-relevant labels Jul 4, 2026
@suleimansh suleimansh self-assigned this Jul 4, 2026
@suleimansh suleimansh merged commit bd13fcf into main Jul 4, 2026
2 checks passed
@suleimansh suleimansh deleted the suleimansh/feat/194-vike-rbac-composer branch July 4, 2026 00:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request priority: high Should be addressed soon security Security-relevant

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compose vike-rbac for roles/permissions instead of hand-rolling authz

1 participant