Advanced Room Permissions & Role-Based Access Control (RBAC) #32
Description
Feature Description
Implement granular role-based access control (RBAC) for rooms with customizable permissions beyond the current owner/editor/viewer model.
Current Limitation
Currently, ResCanvas has basic room roles (owner, editor, viewer) but lacks fine-grained permission controls for specific actions like:
- Stroke deletion/modification by others
- Room settings modification
- Member invitation/removal
- Canvas clearing
- Undo/redo of others' actions
Proposed Enhancement
New Permission System:
can_draw- Create new strokescan_edit_own- Edit/undo own strokescan_edit_others- Edit/undo others' strokescan_delete- Delete any strokecan_clear_canvas- Clear entire canvascan_invite- Invite new memberscan_manage_members- Change member rolescan_configure_room- Modify room settingscan_export- Export canvas data
Custom Role Templates:
- Moderator: can manage members + delete content
- Contributor: can draw + edit own
- Reviewer: view-only + can comment
- Admin: all permissions
Implementation Areas
backend/routes/rooms.py- Add permission checks to all room operationsbackend/middleware/auth.py- Extendrequire_room_accesswith permission validationfrontend/src/pages/RoomSettings.jsx- UI for managing custom roles- MongoDB schema update for
roomscollection with permission matrix - API endpoints:
PUT /rooms/{id}/roles,GET /rooms/{id}/permissions
Benefits
- Educational institutions can create student/teacher roles
- Teams can enforce review workflows
- Public rooms can have moderators
- Better control over collaborative sessions
Testing Considerations
- Unit tests for permission validation logic
- Integration tests for role inheritance
- E2E tests for UI permission changes
Related Files
backend/routes/rooms.pybackend/middleware/auth.pyfrontend/src/pages/RoomSettings.jsxfrontend/src/api/rooms.js