Nuxt Auto CRUD Template

RBAC & Permissions

Technical architecture and management of the database-driven Access Control system.

Architecture Note: nuxt-auto-crud (Core) enforces gates at the API/Nitro layer. The Template provides the UI for state management.

πŸ“ System Schema Core Engine

The RBAC state is persisted in SQLite via five core tables:

  • roles: Subject identities (e.g., admin, manager).
  • resources: Object entities (mapped 1:1 to Drizzle table names).
  • permissions: Valid actions (e.g., list_own, update).
  • role_resource_permissions: Junction table defining the Access Control List (ACL).
  • users: Links identity to role.

🚦 Permission Logic Gates

1. Global Scopes

ActionLogic / Requirement
listReturns records where status = 'active'.
list_allReturns all records (ignores status filter).
createExecutes Zod-validated INSERT.
readSingle record retrieval by Primary Key.
updatePartial modification of existing record.
deleteHard or Soft delete based on schema configuration.

2. Ownership Scopes

Logic dependent on createdBy or userId presence in Drizzle schema.

  • list_own: SELECT where createdBy == current_user_id.
  • update_own: UPDATE restricted to owner-matching rows.
  • delete_own: DELETE restricted to owner-matching rows.

πŸ›  Management Flow Template Implementation

1. Initialization & Seeding

  • First Login: Triggered by initial Admin session.
  • Auto-Sync: Standard roles (admin, manager, user, public) and existing Drizzle tables are registered as resources.
  • Manual Step: Tables added via migrations post-initialization must be manually added as resources via Admin UI.

2. Granting Permissions

Managed via 'Resource Permissions' (Admin UI):

  1. Role Selection: Context-switch via Top Tabs.
  2. Action Matrix: Toggle gates (Global vs. Own-Scoped) per Resource.
  3. Change Status: Specialized permission for workflow transitions (Admin/Manager).

3. Public Access Logic

  • Default State: All resources are private (Session Required).
  • Public Exposure: Grant actions to the public role to bypass session verification.
  • Endpoint: Public-mapped resources are exposed on unauthenticated API routes.

βš™οΈ Static Configuration (app.config.ts)

The crud object in app.config.ts defines the static visibility boundaries for the NAC Interface. These settings govern how data is projected in the UI and serialized during exports.

  • rolesToSeed: Custom role identities (e.g., moderator) injected during the initial bootstrap.
  • globalHide: Keys strictly excluded from the dynamic Data Table UI across all resources.
  • exports: Granular control for PDF and Excel generation.
  • globalExclude: System-wide omissions for the specific format.
  • resourceExclude: Table-specific overrides (e.g., hiding password or internalNote for the users resource).

!NOTE For a deep dive into data serialization logic, refer to the Data Export Documentation.

!TIPAgentic Context: When an LLM tool executes a list or export operation, it must respect these configuration arrays as hard constraints to avoid attempting to process or display restricted fields.

Relationships

How to define and use relationships between tables.

Database Management

How to reset and seed your database.