1.8 KiB
1.8 KiB
Navigation RBAC
Overview
Navigation visibility in this repo is driven by the Auth.js session and is treated as UX only. Real protection must still happen in route handlers and server-rendered pages.
Current session fields used by navigation:
systemRoleactiveOrganizationIdactiveMembershipRoleactiveBusinessRoleactivePermissions
Access model
System role
super_adminis global and can see system-level areas such asWorkspacesuseris the default system role
Workspace membership
activeMembershipRolerepresents the current workspace role, currentlyadmin | useractiveBusinessRolerepresents the current IT Center profile in the selected workspaceactivePermissionsis the effective permission list for the selected workspace
Navigation config
Navigation is configured in src/config/nav-config.ts.
Supported access properties:
systemRolerequireOrgrolepermissionplanfeature
Typical patterns:
access: { systemRole: 'super_admin' }
access: { requireOrg: true, permission: 'asset:read' }
access: { requireOrg: true, permission: 'master_data:manage' }
Filtering behavior
src/hooks/use-nav.ts reads the current Auth.js session and filters visible items client-side.
Rules:
- items with
systemRolerequire a matching global role - items with
requireOrgrequire an active workspace - items with
permissionrequire that permission inactivePermissions - items with
rolerequire a matchingactiveMembershipRole
super_admin can bypass workspace permission checks only after an active workspace is selected for workspace-scoped areas.
Server-side enforcement
Use these helpers for real protection:
requireSession()requireSystemRole()requireOrganizationAccess()
Do not rely on hidden sidebar items as security.