fix(rbac): add app config permissions

- Added create, read, update, delete
- Defined permissions for each role

Author: fulleni

lib/src/rbac/permissions.dart

@@ -47,9 +47,11 @@ abstract class Permissions {
   static const String userPreferencesUpdateOwned =
       'user_preferences.update_owned';
 
-  // Remote Config Permissions (Admin-owned/managed)
-  static const String remoteConfigReadAdmin = 'remote_config.read_admin';
-  static const String remoteConfigUpdateAdmin = 'remote_config.update_admin';
+  // App Config Permissions (Global/Managed)
+  static const String appConfigCreate = 'app_config.create';
+  static const String appConfigRead = 'app_config.read';
+  static const String appConfigUpdate = 'app_config.update';
+  static const String appConfigDelete = 'app_config.delete';
 
   // Add other permissions as needed for future models/features
 }

lib/src/rbac/role_permissions.dart

@@ -1,6 +1,45 @@
 import 'package:ht_api/src/rbac/permission_service.dart' show PermissionService;
 import 'package:ht_api/src/rbac/permissions.dart';
-import 'package:ht_shared/ht_shared.dart'; // Assuming UserRole is defined here
+import 'package:ht_shared/ht_shared.dart';
+
+final Set<String> _guestUserPermissions = {
+  Permissions.headlineRead,
+  Permissions.categoryRead,
+  Permissions.sourceRead,
+  Permissions.countryRead,
+  Permissions.appSettingsReadOwned,
+  Permissions.appSettingsUpdateOwned,
+  Permissions.userPreferencesReadOwned,
+  Permissions.userPreferencesUpdateOwned,
+  Permissions.appConfigRead,
+};
+
+final Set<String> _standardUserPermissions = {
+  ..._guestUserPermissions,
+  Permissions.userReadOwned,
+  Permissions.userUpdateOwned,
+  Permissions.userDeleteOwned,
+};
+
+final Set<String> _adminPermissions = {
+  ..._standardUserPermissions,
+  Permissions.headlineCreate,
+  Permissions.headlineUpdate,
+  Permissions.headlineDelete,
+  Permissions.categoryCreate,
+  Permissions.categoryUpdate,
+  Permissions.categoryDelete,
+  Permissions.sourceCreate,
+  Permissions.sourceUpdate,
+  Permissions.sourceDelete,
+  Permissions.countryCreate,
+  Permissions.countryUpdate,
+  Permissions.countryDelete,
+  Permissions.userRead,
+  Permissions.appConfigCreate,
+  Permissions.appConfigUpdate,
+  Permissions.appConfigDelete,
+};
 
 /// Defines the mapping between user roles and the permissions they possess.
 ///
@@ -13,64 +52,7 @@ import 'package:ht_shared/ht_shared.dart'; // Assuming UserRole is defined here
 /// documentation and clarity. The [PermissionService] should handle the
 /// explicit admin bypass if desired.
 final Map<UserRole, Set<String>> rolePermissions = {
-  UserRole.admin: {
-    // Admins typically have all permissions. Listing them explicitly
-    // or handling the admin bypass in PermissionService are options.
-    // For clarity, listing some key admin permissions here:
-    Permissions.headlineCreate,
-    Permissions.headlineRead,
-    Permissions.headlineUpdate,
-    Permissions.headlineDelete,
-    Permissions.categoryCreate,
-    Permissions.categoryRead,
-    Permissions.categoryUpdate,
-    Permissions.categoryDelete,
-    Permissions.sourceCreate,
-    Permissions.sourceRead,
-    Permissions.sourceUpdate,
-    Permissions.sourceDelete,
-    Permissions.countryCreate,
-    Permissions.countryRead,
-    Permissions.countryUpdate,
-    Permissions.countryDelete,
-    Permissions.userRead, // Admins can read any user profile
-    Permissions.userReadOwned,
-    Permissions.userUpdateOwned,
-    Permissions.userDeleteOwned,
-    Permissions.appSettingsReadOwned,
-    Permissions.appSettingsUpdateOwned,
-    Permissions.userPreferencesReadOwned,
-    Permissions.userPreferencesUpdateOwned,
-    Permissions.remoteConfigReadAdmin,
-    Permissions.remoteConfigUpdateAdmin,
-    // Add all other permissions here for completeness if not using admin bypass
-  },
-  UserRole.standardUser: {
-    // Standard users can read public/shared data
-    Permissions.headlineRead,
-    Permissions.categoryRead,
-    Permissions.sourceRead,
-    Permissions.countryRead,
-    // Standard users can manage their own user-owned data
-    Permissions.userReadOwned,
-    Permissions.userUpdateOwned,
-    Permissions.userDeleteOwned,
-    Permissions.appSettingsReadOwned,
-    Permissions.appSettingsUpdateOwned,
-    Permissions.userPreferencesReadOwned,
-    Permissions.userPreferencesUpdateOwned,
-    // Add other permissions for standard users as needed
-  },
-  UserRole.guestUser: {
-    // Guest users have very limited permissions, primarily reading public data
-    Permissions.headlineRead,
-    Permissions.categoryRead,
-    Permissions.sourceRead,
-    Permissions.countryRead,
-    // Standard users can manage their own anonymous-owned data
-    Permissions.appSettingsReadOwned,
-    Permissions.appSettingsUpdateOwned,
-    Permissions.userPreferencesReadOwned,
-    Permissions.userPreferencesUpdateOwned,
-  },
+  UserRole.guestUser: _guestUserPermissions,
+  UserRole.standardUser: _standardUserPermissions,
+  UserRole.admin: _adminPermissions,
 };

lib/src/registry/model_registry.dart

@@ -269,6 +269,25 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
       // service during account deletion, not via a direct DELETE to /api/v1/data.
     ),
   ),
+  // Configuration for AppConfig (global, managed by admins, readable by all authenticated)
+  'app_config': ModelConfig<AppConfig>(
+    fromJson: AppConfig.fromJson,
+    getId: (config) => config.id,
+    getOwnerId: null, // AppConfig is a global resource, not user-owned
+    getPermission: const ModelActionPermission(
+      type: RequiredPermissionType
+          .none, // Readable by any authenticated user via /api/v1/data
+    ),
+    postPermission: const ModelActionPermission(
+      type: RequiredPermissionType.adminOnly, // Only administrators can create
+    ),
+    putPermission: const ModelActionPermission(
+      type: RequiredPermissionType.adminOnly, // Only administrators can update
+    ),
+    deletePermission: const ModelActionPermission(
+      type: RequiredPermissionType.adminOnly, // Only administrators can delete
+    ),
+  ),
 };
 
 /// Type alias for the ModelRegistry map for easier provider usage.