RBAC API

Manage roles and permissions: list, add, edit, and assign roles to users (e.g. staff) or permissions to roles. All routes require Authorization: Bearer <access_token> and admin role. Base path: <API_BASE_URL>/rbac.

Roles

Roles

GET /rbac/roles

List all roles with their permissions. Response: {"roles": [{"id", "name", "description", "permissions": [{"id", "name"}]}]}.

POST /rbac/roles

Create a role. Body: name (required), description (optional). Returns the created role with permissions array. 409 if name already exists.

GET /rbac/roles/<role_id>

Get one role with full permissions list. 404 if not found.

PATCH /rbac/roles/<role_id>

Update a role. Body: optional name, description. Returns updated role. 409 if new name already exists.

POST /rbac/roles/<role_id>/users

Assign role to a user (e.g. assign staff role to a user). Body: {"user_id": number}. Returns {"message": "Role assigned", "user_id": number}. 404 if user or role not found.

DELETE /rbac/roles/<role_id>/users/<user_id>

Remove role from user. 404 if user/role not found or user does not have the role.

POST /rbac/roles/<role_id>/permissions

Assign permission to role. Body: {"permission_id": number}. 404 if role or permission not found.

DELETE /rbac/roles/<role_id>/permissions/<permission_id>

Remove permission from role. 404 if role/permission not found or role does not have the permission.

Permissions

Permissions

GET /rbac/permissions

List all permissions with their roles. Response: {"permissions": [{"id", "name", "description", "roles": [{"id", "name"}]}]}.

POST /rbac/permissions

Create a permission. Body: name (required), description (optional). Returns the created permission with roles array. 409 if name already exists.

GET /rbac/permissions/<permission_id>

Get one permission with full roles list. 404 if not found.

PATCH /rbac/permissions/<permission_id>

Update a permission. Body: optional name, description. Returns updated permission. 409 if new name already exists.

Errors

Common responses

401 if missing or invalid token. 403 if not admin. 404 if resource not found. 409 if name already exists (role or permission).