Authorization

MiniWork includes role-based access control (RBAC) for fine-grained permissions.

Roles Schema

CREATE TABLE roles (
  id INTEGER PRIMARY KEY,
  name TEXT UNIQUE NOT NULL
);

CREATE TABLE user_roles (
  user_id INTEGER REFERENCES users(id),
  role_id INTEGER REFERENCES roles(id),
  PRIMARY KEY (user_id, role_id)
);

Checking Roles

export async function loader(ctx) {
  if (!ctx.auth.hasRole('admin')) {
    return ctx.redirect('/');
  }
  
  // Check any of multiple roles
  if (!ctx.auth.hasAnyRole(['admin', 'editor'])) {
    return ctx.redirect('/');
  }
  
  return { user: ctx.auth.user };
}

Checking Permissions

export async function action(ctx) {
  if (!ctx.auth.hasPermission('posts:delete')) {
    return { error: 'Permission denied' };
  }
  
  // Proceed with action...
}