To understand ScaffoldHub security, you must understand the concepts:

Permission

Permission is a particular action a user can perform. Examples are customer create, audit log read, or user delete.

Role

A role is a group of permissions. For example, an admin (role) can create users (permission), view audit logs (permission), etc.

Out-of-the-box ScaffoldHub has two roles: Admin and Custom. The idea is that you manually create more roles based on your business context.

Users, Workspaces (Tenants), and Roles

Users can have multiple roles in multiple tenants. For example, a user can be a viewer (role) and an entity editor (role) on Workspace A (workspace), and an admin (role) on Workspace B (workspace).

Demonstration

For this demonstration, we will have the following setup:

admin@scaffoldhub.io with the admin role.

readonly@scaffoldhub.io with the custom role.

The admin role has all the permissions.

The custom role has permission to read customers, products, and orders.

Code

Permissions

Each feature has its own permissions file that describes the features and roles that can access each resource.

Each permission has the following properties:

id - Describes a unique ID of the permission.

allowedRoles - The roles that are allowed for this permission.

allowedStorage - The file storage configuration that is included in this permission.

Roles

Storage (Files)

Each feature has its storage file that describes how files are stored.

More details in Features > File Storage.

Securing Controllers

Controllers start by calling the validateHasPermission function that validates if the current user can access that permission.

Securing Pages

Pages call the hasPermission method to check if the current user has that permission. The app then redirects the user or hides a navigation button if the user hasn't.