Role-Based Authorization
architect, critique, revise, code, testModule 4: Role-Based Authorization
Goal: Implement access control logic that differentiates regular accounts from admin accounts.
What you need to know first
Authentication vs. Authorization:
- Authentication (AuthN): "Who are you?" (Resolved in Module 3 via JWTs).
- Authorization (AuthZ): "What are you allowed to do?" (Resolved here via roles).
Role-Based Access Control (RBAC): Assigning permissions based on user categories.
- A regular user can only manage their own tasks.
- An administrator can view system-wide reports, audit histories, or delete any account.
The SOLO idea
Permissions must be verified at the endpoint level, not the frontend. If the frontend hides the "Delete All" button from users, but the backend doesn't check the user's role on the DELETE endpoint, the system is vulnerable. We plan our roles and restrict route access using the planning loop.
Lab 4: Admin Privileges
Estimated AI conversations: 2-3
- Add a
rolecolumn (TEXT, default 'user') to the databaseuserstable schema. Updatedb.py. - Step A: Plan authorization checks. Open Copilot Chat and type:
Follow #file:workflows/architect.md — Plan user schema and token changes:
- When generating a JWT token during login, include the user's
roleinside the payload. - Create an admin-only GET endpoint
/admin/exportthat returns a list of all tasks across all users in the system. - Inside
/admin/export, inspect the authenticated user'srolefrom the JWT. - If the role is not
admin, raise an HTTP exception:403 Forbidden("You do not have permission to access this resource").
- When generating a JWT token during login, include the user's
- Step B: Critique authorization limits. In the same conversation, type:
Follow #file:workflows/critique.md — Critique the admin access plan. Can a regular user forge the token to set their own role to 'admin' (e.g. if the secret is insecure)? Are we safely validating claims?
- Step C: Revise.
Follow #file:workflows/revise.md — Revise the plan to ensure role claims are fully validated on the server and JWT signature verification is sound.
- Step D: Implement.
Follow #file:workflows/code.md — Write the role-based auth routing code in
main.py. - Review the code. The role check should resemble:
if current_user["role"] != "admin": raise HTTPException(status_code=403, detail="Admin access required") - Write automated integration tests in
test_main.py:- Assert that an admin user calling
/admin/exportgets a 200 OK and a global list of tasks. - Assert that a regular user calling
/admin/exportgets a 403 Forbidden.
- Assert that an admin user calling
- Run the tests:
pytest -v - Commit:
git add . git commit -m "Module 4: role-based access control (RBAC) configured" git push
Checkpoint
Create checkpoint_04.md:
- Paste the test cases verifying role-based authorization from
test_main.py. - Explain in 1 sentence why hiding buttons in the UI is not a secure way to enforce user authorization.