Add viewer role access controls #165

New issue

Closed

opened 2026-06-20 08:20:48 -05:00 by erik · 2 comments

erik commented 2026-06-20 08:20:48 -05:00

Owner

Copy link

Goal

Make the viewer role usable for non-admin site access while keeping management-only admin areas restricted to admins.

Requirements

• Allow active viewer site users to sign in and access their own credential management.
• Allow viewers to create and manage passkeys for their own account.
• Allow viewers to create and view API keys appropriate to their own account.
• Restrict viewer API keys to read-only GET access for posts, sources, and contacts.
• Keep write operations and management-only API routes admin-only.
• Keep /admin/users and /admin/activitypub visible and accessible only to admin users.
• Update admin navigation so viewers only see links they are allowed to use.
• Ensure role checks are based on stored site-user roles, not ADMIN_EMAIL or ActivityPub actor identity.
• Document the supported viewer capabilities and limitations.

Acceptance criteria

• A signed-in viewer can access passkey management and create a passkey for their own account.
• A signed-in viewer can access API key management and create an API key for their own account.
• Viewer-created API keys can authenticate GET requests for posts, sources, and contacts.
• Viewer-created API keys cannot create, update, or delete posts, sources, contacts, or other resources.
• Viewers cannot access /admin/users or /admin/activitypub.
• Viewers do not see Site users or ActivityPub links in admin navigation.
• Admin users retain full access to all admin pages and API capabilities.
• Tests cover viewer browser access, viewer API-key access, denied write operations, and admin-only management pages.
• Documentation explains viewer role capabilities and restrictions.
• Relevant lint/test checks pass.

Dependencies

• None

## Goal Make the `viewer` role usable for non-admin site access while keeping management-only admin areas restricted to admins. ## Requirements - Allow active `viewer` site users to sign in and access their own credential management. - Allow viewers to create and manage passkeys for their own account. - Allow viewers to create and view API keys appropriate to their own account. - Restrict viewer API keys to read-only `GET` access for posts, sources, and contacts. - Keep write operations and management-only API routes admin-only. - Keep `/admin/users` and `/admin/activitypub` visible and accessible only to admin users. - Update admin navigation so viewers only see links they are allowed to use. - Ensure role checks are based on stored site-user roles, not `ADMIN_EMAIL` or ActivityPub actor identity. - Document the supported viewer capabilities and limitations. ## Acceptance criteria - [ ] A signed-in viewer can access passkey management and create a passkey for their own account. - [ ] A signed-in viewer can access API key management and create an API key for their own account. - [ ] Viewer-created API keys can authenticate `GET` requests for posts, sources, and contacts. - [ ] Viewer-created API keys cannot create, update, or delete posts, sources, contacts, or other resources. - [ ] Viewers cannot access `/admin/users` or `/admin/activitypub`. - [ ] Viewers do not see Site users or ActivityPub links in admin navigation. - [ ] Admin users retain full access to all admin pages and API capabilities. - [ ] Tests cover viewer browser access, viewer API-key access, denied write operations, and admin-only management pages. - [ ] Documentation explains viewer role capabilities and restrictions. - [ ] Relevant lint/test checks pass. ## Dependencies - None

erik added the

status:active

auth

implementation

web

priority:medium

labels 2026-06-20 08:20:48 -05:00

erik added

status:inprogress

and removed

status:active

labels 2026-06-20 21:25:18 -05:00

erik commented 2026-06-20 21:30:46 -05:00

Author

Owner

Copy link

Synced from todu comment by @todu on 2026-06-21T02:30:00.952Z

Review update

• PR: #173 is open and reviewed.
• Result: approved; no blocking issues or warnings.
• Acceptance criteria: 10/10 met.
• Verified: targeted viewer/API-key/settings/migration tests, npm run build --workspace @slugkit/template-site, ./scripts/pre-pr.sh, and Forgejo Actions run #239.
• Follow-up: waiting for explicit human merge approval.

_Synced from todu comment by @todu on 2026-06-21T02:30:00.952Z_ ### Review update - PR: https://forge.caradoc.com/erik/slugkit/pulls/173 is open and reviewed. - Result: approved; no blocking issues or warnings. - Acceptance criteria: 10/10 met. - Verified: targeted viewer/API-key/settings/migration tests, `npm run build --workspace @slugkit/template-site`, `./scripts/pre-pr.sh`, and Forgejo Actions run #239. - Follow-up: waiting for explicit human merge approval.

erik 2026-06-21 11:15:13 -05:00

• closed this issue
• added
  status:done
  and removed
  status:inprogress
  labels

erik commented 2026-06-21 11:15:13 -05:00

Author

Owner

Copy link

Synced from todu comment by @todu on 2026-06-21T16:10:23.729Z

Closing summary

PR #173 was merged into main.

Acceptance criteria:

• Signed-in viewer can access passkey management and create a passkey for their own account — met by existing viewer passkey management routes/tests.
• Signed-in viewer can access API key management and create an API key for their own account — met by /settings/api-keys site-user access and viewer-owned key creation.
• Viewer-created API keys can authenticate GET requests for posts, sources, and contacts — met by scoped read access tests.
• Viewer-created API keys cannot create, update, or delete posts, sources, contacts, or other resources — met by operation-scoped bearer auth and denied write/management API tests.
• Viewers cannot access admin-only user/ActivityPub management — met by stored-role admin guards and denial tests.
• Viewers do not see Site users or ActivityPub links in navigation — met by settings nav filtering and tests.
• Admin users retain full access to all admin pages and API capabilities — met by unscoped admin keys and admin-only route guards.
• Tests cover viewer browser access, viewer API-key access, denied write operations, and admin-only management pages — met.
• Documentation explains viewer role capabilities and restrictions — met in template/site/src/auth/README.md.
• Relevant lint/test checks pass — met via targeted tests, build, ./scripts/pre-pr.sh, and Forgejo Actions #239.

Readiness: READY. Closing task.

_Synced from todu comment by @todu on 2026-06-21T16:10:23.729Z_ ### Closing summary PR #173 was merged into `main`. Acceptance criteria: - Signed-in viewer can access passkey management and create a passkey for their own account — met by existing viewer passkey management routes/tests. - Signed-in viewer can access API key management and create an API key for their own account — met by `/settings/api-keys` site-user access and viewer-owned key creation. - Viewer-created API keys can authenticate `GET` requests for posts, sources, and contacts — met by scoped read access tests. - Viewer-created API keys cannot create, update, or delete posts, sources, contacts, or other resources — met by operation-scoped bearer auth and denied write/management API tests. - Viewers cannot access admin-only user/ActivityPub management — met by stored-role admin guards and denial tests. - Viewers do not see Site users or ActivityPub links in navigation — met by settings nav filtering and tests. - Admin users retain full access to all admin pages and API capabilities — met by unscoped admin keys and admin-only route guards. - Tests cover viewer browser access, viewer API-key access, denied write operations, and admin-only management pages — met. - Documentation explains viewer role capabilities and restrictions — met in `template/site/src/auth/README.md`. - Relevant lint/test checks pass — met via targeted tests, build, `./scripts/pre-pr.sh`, and Forgejo Actions #239. Readiness: READY. Closing task.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

release/slug-cli-v0.5.0

release/slug-cli-v0.4.0

release/slug-cli-v0.3.0

release/slug-cli-v0.2.0

release/slug-cli-v0.1.2

release/slug-cli-v0.1.1

feat/task-47be19ea-api-meta-route

feat/task-51eaa27f-swagger-api-docs

feat/task-0dbd25d3-site-config-homepage

feat/task-69937fe4-sqlite-migrations

feat/task-a3cd5595-cli-foundation

feat/task-c272cbda-openapi-health

feat/task-d6397b57-template-foundation

v0.5.0

v0.4.0

v0.3.0

v0.2.0

v0.1.2

v0.1.1

Labels

Clear labels   

activitypub

  

admin

  

api

  

articles

  

auth

  

bug

  

cleanup

  

cli

  

comments

  

compatibility

  

config

  

contacts

  

database

  

deployment

  

design

  

dev-env

  

docs

  

documentation

  

email

  

enhancement

  

feature

  

federation

  

feed

  

homepage

  

implementation

  

integration

  

media

  

openapi

  

priority:high

  

priority:low

  

priority:medium

  

proof

  

public-routes

  

public-ui

  

release

  

safety

  

social

  

sources

  

status:active

  

status:canceled

  

status:done

  

status:inprogress

  

status:waiting

  

syndication

  

tailwind

  

template

  

test

  

web

No labels

activitypub

admin

api

articles

auth

bug

cleanup

cli

comments

compatibility

config

contacts

database

deployment

design

dev-env

docs

documentation

email

enhancement

feature

federation

feed

homepage

implementation

integration

media

openapi

priority:high

priority:low

priority:medium

proof

public-routes

public-ui

release

safety

social

sources

status:active

status:canceled

status:done

status:inprogress

status:waiting

syndication

tailwind

template

test

web

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

erik/slugkit#165

No description provided.