Add Built-In Role-Based Access Control (RBAC) with Roles, Permissions, and Assignments

[null-ed]

✅ Problem

The project currently lacks a reusable and structured RBAC (Role-Based Access Control) system, with the following issues:

1. No Role model or user-role mapping
   Users cannot have multiple roles, and roles cannot share permissions in a reusable way.

2. No standard way to define permissions
   There is no centralized permission list or front-end-friendly permission structure.

3. No permission-checking mechanism
   Access control relies only on is_superuser or resource ownership, which is insufficient for enterprise multi-role, multi-admin systems.

4. No API, dependencies, admin panel, or documentation for RBAC
   Teams must implement their own solutions, leading to duplication and inconsistency.

---

✅ Proposal

Introduce a clean and extensible RBAC system without a database Permission model:

---

1. Permissions as Code Constants

Define all permissions centrally as code constants:

class PermissionNames:
    user = "user"
    user_create = f"{user}.create"
    user_delete = f"{user}.delete"

    book = "book"
    book_edit = f"{book}.edit"

Benefits:

• Centralized and maintainable
• No database table needed
• Avoids duplicate or stale data
• Adding new permissions only requires code changes

---

2. Permission Tree for Hierarchy and UI

Use a dedicated class PermissionNode to build hierarchical structures:

PermissionNode(
    name=PermissionNames.user,
    children=[
        PermissionNode(name=PermissionNames.user_create),
        PermissionNode(name=PermissionNames.user_delete),
    ]
)

Purpose:

• Render permission tree in admin/front-end UI
• Allow administrators to select permissions
• Single source of truth for permission hierarchy

---

3. Data Models (Simplified)

• roles: id, name, description, timestamps
• role_permission: role_id, permission_name (string constant)
• user_role: user_id, role_id

No separate Permission model is needed, keeping the database simple.

---

4. API / CRUD

Provide standard endpoints:

• Create/update/delete roles
• Assign/remove permissions to roles (string constants)
• Assign/remove roles to users
• Query a user’s effective permissions

---

5. Permission Checks

Use FastAPI dependencies:

require_permissions(PermissionNames.user_create,PermissionNames.user_delete)

Logic:

• Aggregate permissions from all roles assigned to the user
• Superusers bypass checks
• Supports any/all permission modes

---

6. Admin Panel Integration

• Role management UI includes permission assignment
• Permission tree automatically rendered from PermissionNode hierarchy

---

7. Documentation and Testing

• Document how to define permissions, build the permission tree, and protect endpoints
• Test role assignment and permission checks

---

📌 Summary

Problem: The project lacks RBAC, making role management and permission control difficult.
Proposal: Add Role, UserRole, and RolePermission models; define permissions as code constants with a hierarchical tree; implement require_permission checks; provide complete API, admin UI, docs, and tests.