Tigase Forge
Dashboards
Projects
Global Views
Code Search
sztab
Issues
List
Boards
Iterations
Builds
Statistics
Child Projects
OneDev 11.9.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects sztab Issues SZ-15
Provision Dynamic Permission-based RBAC (SZ-15)
rk@tigase.net opened 1 week ago

Description

The current Sztab security model uses static, hardcoded roles mapped from JWTs (e.g., @PreAuthorize("hasRole('PROJECT_MANAGER')")). While sufficient for MVP, this approach becomes rigid as we expand the system to support more nuanced access needs (e.g., read-only roles, external users, community contributors).

This issue proposes a shift to a permission-based model, where roles are defined dynamically in the database and composed from atomic permissions. This unlocks fine-grained access control, runtime configurability, and future UI-driven role management.

Acceptance Criteria

  •  Define and persist a Permission entity (e.g., CREATE_ISSUE, TAG_RELEASE)
  •  Define a Role entity with a many-to-many relationship to Permission
  •  Allow users to be assigned one or more roles
  •  Update the security layer to check for hasAuthority(...) instead of hasRole(...)
  •  Provide seed data mapping current static roles to equivalent permissions

Example: Permission-Based Roles

Sample Permissions

Permission NameDescription
CREATE_ISSUEAllows a user to file a new issue in a project
ASSIGN_ISSUEAllows assigning an issue to a team member
CLOSE_ISSUEAllows closing or resolving an issue
COMMENTAllows adding comments to issues or pull requests
TAG_RELEASEAllows tagging and publishing releases
DELETE_USERAllows deleting users from the system
VIEW_ALL_PROJECTSAllows viewing all projects and metadata

Composing Roles from Permissions

RoleComposed Permissions
Project ManagerCREATE_ISSUE, ASSIGN_ISSUE, CLOSE_ISSUE, VIEW_ALL_PROJECTS
DeveloperCREATE_ISSUE, COMMENT
QA EngineerCOMMENT, CLOSE_ISSUE
Release ManagerTAG_RELEASE
AdminAll permissions
ObserverVIEW_ALL_PROJECTS

Controller Check (Post-Migration)

@PreAuthorize("hasAuthority('ASSIGN_ISSUE')")
public ResponseEntity<?> assignIssue(...) {
    // only Project Manager (or anyone with this permission) can access
}
issue 1 of 1
Type
New Feature
Priority
Normal
Assignee
rk@tigase.net
Version
none
Sprints
n/a
Customer
n/a
Issue Votes (0)
Login to vote
Watchers (3)
Reference
SZ-15
Please wait...
Page is in error, reload to recover