feat: centralize role permissions management and synchronize with database

Author: Lasim

services/backend/drizzle/migrations_sqlite/0003_huge_prism.sql

@@ -13,10 +13,12 @@ CREATE UNIQUE INDEX `roles_name_unique` ON `roles` (`name`);
 ALTER TABLE `authUser` ADD `role_id` text REFERENCES roles(id);
 --> statement-breakpoint
 
--- Insert default roles
+-- Insert default roles (permissions will be synced by RoleSyncService on server startup)
 INSERT INTO `roles` (`id`, `name`, `description`, `permissions`, `is_system_role`, `created_at`, `updated_at`) VALUES 
-('global_admin', 'Global Administrator', 'Full system access with user management capabilities', '["users.list","users.view","users.edit","users.delete","users.create","roles.manage","system.admin","settings.view","settings.edit","settings.delete","teams.create","teams.view","teams.edit","teams.delete","teams.manage","team.members.view","team.members.manage"]', 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
-('global_user', 'Global User', 'Standard user with basic profile access', '["profile.view","profile.edit","teams.create","teams.view","teams.edit","teams.delete","team.members.view"]', 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000);
+('global_admin', 'Global Administrator', 'Full system access with user management capabilities', '[]', 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('global_user', 'Global User', 'Standard user with basic profile access', '[]', 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('team_admin', 'Team Administrator', 'Team management with member and credential access', '[]', 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('team_user', 'Team User', 'Basic team member with view access', '[]', 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000);
 --> statement-breakpoint
 
 -- Update existing users to have global_user role (all users since role_id starts as NULL)

services/backend/drizzle/migrations_sqlite/0015_add_mcp_permissions_to_global_admin.sql

@@ -1,5 +1,3 @@
--- Add MCP permissions to global_admin role
-UPDATE roles 
-SET permissions = '["users.list","users.view","users.edit","users.delete","users.create","roles.manage","system.admin","settings.view","settings.edit","settings.delete","teams.create","teams.view","teams.edit","teams.delete","teams.manage","team.members.view","team.members.manage","mcp.categories.view","mcp.categories.create","mcp.categories.edit","mcp.categories.delete","mcp.servers.global.view","mcp.servers.global.create","mcp.servers.global.edit","mcp.servers.global.delete","mcp.servers.team.view_all","mcp.versions.manage"]',
-    updated_at = strftime('%s', 'now') * 1000
-WHERE id = 'global_admin';
+-- MCP permissions are now managed by RoleSyncService on server startup
+-- This migration is kept for historical purposes but no longer performs any operations
+-- All role permissions are automatically synced from roleService.ts getDefaultPermissions()

services/backend/src/permissions/index.ts

@@ -0,0 +1,99 @@
+/**
+ * Centralized Permission Registry
+ * 
+ * This is the single source of truth for all permissions and role definitions.
+ * All other files should import from this module to ensure consistency.
+ */
+
+// Define all role permissions in one place
+export const ROLE_DEFINITIONS = {
+  global_admin: [
+    'users.list',
+    'users.view',
+    'users.edit',
+    'users.delete',
+    'users.create',
+    'roles.manage',
+    'system.admin',
+    'settings.view',
+    'settings.edit',
+    'settings.delete',
+    'teams.create',
+    'teams.view',
+    'teams.edit',
+    'teams.delete',
+    'teams.manage',
+    'team.members.view',
+    'team.members.manage',
+    'mcp.categories.view',
+    'mcp.categories.create',
+    'mcp.categories.edit',
+    'mcp.categories.delete',
+    'mcp.servers.read',
+    'mcp.servers.global.view',
+    'mcp.servers.global.create',
+    'mcp.servers.global.edit',
+    'mcp.servers.global.delete',
+    'mcp.servers.team.view_all',
+    'mcp.versions.manage',
+  ],
+  global_user: [
+    'profile.view',
+    'profile.edit',
+    'teams.create',
+    'teams.view',
+    'teams.edit',
+    'teams.delete',
+    'team.members.view',
+    'mcp.servers.read',
+  ],
+  team_admin: [
+    'teams.view',
+    'teams.edit',
+    'teams.delete',
+    'teams.manage',
+    'team.members.view',
+    'team.members.manage',
+    'cloud_credentials.view',
+    'cloud_credentials.create',
+    'cloud_credentials.edit',
+    'cloud_credentials.delete'
+  ],
+  team_user: [
+    'teams.view',
+    'team.members.view',
+    'cloud_credentials.view'
+  ],
+} as const;
+
+// Auto-generate available permissions from all role definitions
+export const AVAILABLE_PERMISSIONS = [
+  ...new Set(
+    Object.values(ROLE_DEFINITIONS).flat()
+  )
+].sort();
+
+// Export types for TypeScript
+export type RoleId = keyof typeof ROLE_DEFINITIONS;
+export type Permission = typeof AVAILABLE_PERMISSIONS[number];
+
+// Helper functions
+export function getRolePermissions(roleId: RoleId): string[] {
+  return [...ROLE_DEFINITIONS[roleId]];
+}
+
+export function getAllRoleDefinitions(): Record<string, string[]> {
+  const result: Record<string, string[]> = {};
+  for (const [roleId, permissions] of Object.entries(ROLE_DEFINITIONS)) {
+    result[roleId] = [...permissions];
+  }
+  return result;
+}
+
+export function isValidPermission(permission: string): permission is Permission {
+  return (AVAILABLE_PERMISSIONS as readonly string[]).includes(permission);
+}
+
+export function isValidRole(roleId: string): roleId is RoleId {
+  return roleId in ROLE_DEFINITIONS;
+}

services/backend/src/routes/roles/schemas.ts

@@ -1,4 +1,5 @@
 import { z } from 'zod';
+import { AVAILABLE_PERMISSIONS } from '../../permissions';
 
 // Role schemas
 export const RoleSchema = z.object({
@@ -59,31 +60,7 @@ export type UpdateRoleInput = z.infer<typeof UpdateRoleSchema>;
 export type AssignRoleInput = z.infer<typeof AssignRoleSchema>;
 export type UpdateUserInput = z.infer<typeof UpdateUserSchema>;
 
-// Available permissions list
-export const AVAILABLE_PERMISSIONS = [
-  'users.list',
-  'users.view',
-  'users.edit',
-  'users.delete',
-  'users.create',
-  'roles.manage',
-  'system.admin',
-  'settings.view',
-  'settings.edit',
-  'settings.delete',
-  'profile.view',
-  'profile.edit',
-  'teams.create',
-  'teams.view',
-  'teams.edit',
-  'teams.delete',
-  'teams.manage',
-  'team.members.view',
-  'team.members.manage',
-  'cloud_credentials.view',
-  'cloud_credentials.create',
-  'cloud_credentials.edit',
-  'cloud_credentials.delete',
-] as const;
-
+// Available permissions are now imported from centralized permissions registry
+// This ensures consistency across the entire application
+export { AVAILABLE_PERMISSIONS } from '../../permissions';
 export type Permission = typeof AVAILABLE_PERMISSIONS[number];

services/backend/src/server.ts

@@ -33,6 +33,7 @@ import {
 import { GlobalSettingsInitService } from './global-settings'
 import { GlobalSettings } from './global-settings/helpers';
 import { GlobalSettingsService } from './services/globalSettingsService'; // Import the service
+import { RoleSyncService } from './services/roleSyncService'; // Import the role sync service
 import type SqliteDriver from 'better-sqlite3'; // For type checking in onClose
 import type { FastifyInstance } from 'fastify'
 
@@ -98,6 +99,22 @@ export async function initializeDatabaseDependentServices(
       await initializePluginDatabases(dbInstance, dbExtensions, server.log);
       server.log.debug('✅ Plugin database extensions initialized');
 
+      // Synchronize role permissions from code to database
+      try {
+        server.log.debug('🔄 Starting role synchronization...');
+        const roleSyncService = new RoleSyncService(server.log);
+        await roleSyncService.syncRoles();
+        server.log.debug('✅ Role synchronization completed');
+      } catch (roleSyncError) {
+        server.log.error('❌ Role synchronization failed:', {
+          error: roleSyncError,
+          message: roleSyncError instanceof Error ? roleSyncError.message : 'Unknown error',
+          stack: roleSyncError instanceof Error ? roleSyncError.stack : 'No stack trace'
+        });
+        // Don't throw - continue with startup but log the error
+        server.log.warn('⚠️ Continuing without role synchronization due to error');
+      }
+      
       // Initialize global settings with comprehensive debugging
       try {
         server.log.debug('🔄 Starting global settings initialization...');

services/backend/src/services/roleService.ts

@@ -1,6 +1,7 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import { getDb, getSchema } from '../db';
 import { eq } from 'drizzle-orm';
+import { getAllRoleDefinitions } from '../permissions';
 
 export interface Role {
   id: string;
@@ -238,66 +239,9 @@ export class RoleService {
 
   /**
    * Get default permissions for each role
+   * Uses centralized permission definitions
    */
   static getDefaultPermissions() {
-    return {
-      global_admin: [
-        'users.list',
-        'users.view',
-        'users.edit',
-        'users.delete',
-        'users.create',
-        'roles.manage',
-        'system.admin',
-        'settings.view',
-        'settings.edit',
-        'settings.delete',
-        'teams.create',
-        'teams.view',
-        'teams.edit',
-        'teams.delete',
-        'teams.manage',
-        'team.members.view',
-        'team.members.manage',
-        'mcp.categories.view',
-        'mcp.categories.create',
-        'mcp.categories.edit',
-        'mcp.categories.delete',
-        'mcp.servers.read',
-        'mcp.servers.global.view',
-        'mcp.servers.global.create',
-        'mcp.servers.global.edit',
-        'mcp.servers.global.delete',
-        'mcp.servers.team.view_all',
-        'mcp.versions.manage',
-      ],
-      global_user: [
-        'profile.view',
-        'profile.edit',
-        'teams.create',
-        'teams.view',
-        'teams.edit',
-        'teams.delete',
-        'team.members.view',
-        'mcp.servers.read',
-      ],
-      team_admin: [
-        'teams.view',
-        'teams.edit',
-        'teams.delete',
-        'teams.manage',
-        'team.members.view',
-        'team.members.manage',
-        'cloud_credentials.view',
-        'cloud_credentials.create',
-        'cloud_credentials.edit',
-        'cloud_credentials.delete'
-      ],
-      team_user: [
-        'teams.view',
-        'team.members.view',
-        'cloud_credentials.view'
-      ],
-    };
+    return getAllRoleDefinitions();
   }
 }