quic-issues/427e7578-d7bf-49c8-aee9-2dd999e25316
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b7539ac86e0221974f0186dccf97ba14d71ba3e4
427e7578-d7bf-49c8-aee9-2dd…/specs/archived/006-role-permission-system/README.md
Jonas b7539ac86e Init with specs
2026-03-16 22:44:21 +13:00

68 lines
2.0 KiB
Markdown
Raw Blame History

---
status: archived
created: '2026-03-16'
tags:
- auth
- roles
priority: high
created_at: '2026-03-16T07:51:49.636Z'
depends_on:
- 004-poll-data-model
updated_at: '2026-03-16T09:18:35.900Z'
transitions:
- status: archived
at: '2026-03-16T09:18:35.900Z'
---
# Role & Permission System
> **Status**: 📦 Archived · **Priority**: High · **Created**: 2026-03-16 · **Tags**: auth, roles
## Overview
Each poll has a role-based permission system. The owner assigns roles to users they discover or invite. Roles control what actions a user can perform on a poll.
## Design
### Roles & Permissions
| Action | Viewer | Participant | Moderator | Owner |
|---|---|---|---|---|
| View poll & results | ✅ | ✅ | ✅ | ✅ |
| Add options | ❌ | ✅ | ✅ | ✅ |
| Vote | ❌ | ✅ | ✅ | ✅ |
| Add/remove users | ❌ | ❌ | ✅ | ✅ |
| Start/stop poll | ❌ | ❌ | ✅ | ✅ |
| Delete poll | ❌ | ❌ | ❌ | ✅ |
### Implementation
- Owner is implicit (poll.ownerId === userId)
- Roles stored in `poll.roles[]` array
- Role changes are broadcast to all connected peers
- Moderators can invite users by peer ID (discovered via spec 007) or by sharing a poll link
- Permission checks happen both client-side (UI) and on message receipt (owner validates)
### Invite Flow
1. Owner/moderator discovers a user (see spec 007) or has their peer ID
2. Assigns them a role → updates `poll.roles[]`
3. When that user connects, they receive the poll state including their role
4. Users without a role who connect via link get `viewer` by default
## Plan
- [ ] Implement role assignment data model
- [ ] Create permission check utility (`canVote()`, `canModerate()`, etc.)
- [ ] Build user management UI in poll detail page
- [ ] Implement role change broadcast over PeerJS
- [ ] Owner-side validation of incoming messages against roles
## Test
- [ ] Viewer cannot vote or add options
- [ ] Participant can vote and add options
- [ ] Moderator can add/remove users and start/stop poll
- [ ] Only owner can delete
- [ ] Unknown users connecting via link get viewer role
Reference in New Issue View Git Blame Copy Permalink