Fine-grained role-based access control with server-enforced middleware. 15+ permission areas cover every part of the platform.
The permission system is built on role-based access control with permissions defined at both server and frontend levels. Server middleware blocks unauthorized mutations globally — viewers and guests cannot create, update, or delete any resources. Frontend middleware prevents navigation to unauthorized pages, and sidebar items are conditionally hidden based on permissions.
Permissions cover finance (invoices, expenses, P&L), creative (banner studio, briefs), media (ad accounts, spend), client management (portal, contacts), admin (users, roles, settings), boards (create, edit, archive), chat (channels, DMs), time tracking (entries, approvals), AI (chat, training), and more. Each area can be independently granted or restricted per role.
87 page files are protected by 7 route middleware files — role-admin, role-finance, role-creative, role-media, role-management, role-clients, and sales. Users who navigate to a page they cannot access are redirected to the dashboard. Direct URL access is blocked server-side, not just hidden in the UI.
Every POST, PUT, PATCH, and DELETE request passes through the RBAC middleware. External callers like Xero webhooks and Cloudflare Workers are exempt. Internal API routes are scoped correctly. The system enforces write access restrictions at the API layer, making permission bypass impossible regardless of how the request originates.