feat: roles API + type def

cmd/hspguard/main.go

@@ -45,6 +45,7 @@ func main() {
 	cache := cache.NewClient(&cfg)
 
 	user.EnsureAdminUser(ctx, &cfg, repo)
+	user.EnsureSystemPermissions(ctx, repo)
 
 	server := api.NewAPIServer(fmt.Sprintf("%s:%s", cfg.Host, cfg.Port), repo, fStorage, cache, &cfg)
 	if err := server.Run(); err != nil {

internal/admin/permissions.go

@@ -0,0 +1,82 @@
+package admin
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+
+	"gitea.local/admin/hspguard/internal/repository"
+	"gitea.local/admin/hspguard/internal/web"
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
+)
+
+func (h *AdminHandler) GetAllPermissions(w http.ResponseWriter, r *http.Request) {
+	rows, err := h.repo.GetGroupedPermissions(r.Context())
+	if err != nil {
+		log.Println("ERR: Failed to list permissions from db:", err)
+		web.Error(w, "failed to get all permissions", http.StatusInternalServerError)
+		return
+	}
+
+	type RowDTO struct {
+		Scope       string                  `json:"scope"`
+		Permissions []repository.Permission `json:"permissions"`
+	}
+
+	if len(rows) == 0 {
+		rows = make([]repository.GetGroupedPermissionsRow, 0)
+	}
+
+	var mapped []RowDTO
+
+	for _, row := range rows {
+		var permissions []repository.Permission
+
+		if err := json.Unmarshal(row.Permissions, &permissions); err != nil {
+			log.Println("ERR: Failed to extract permissions from byte array:", err)
+			web.Error(w, "failed to get permissions", http.StatusInternalServerError)
+			return
+		}
+
+		mapped = append(mapped, RowDTO{
+			Scope:       row.Scope,
+			Permissions: permissions,
+		})
+	}
+
+	if len(mapped) == 0 {
+		mapped = make([]RowDTO, 0)
+	}
+
+	encoder := json.NewEncoder(w)
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := encoder.Encode(mapped); err != nil {
+		web.Error(w, "failed to encode response", http.StatusInternalServerError)
+	}
+}
+
+func (h *AdminHandler) GetUserPermissions(w http.ResponseWriter, r *http.Request) {
+	userId := chi.URLParam(r, "user_id")
+
+	permissions, err := h.repo.GetUserPermissions(r.Context(), uuid.MustParse(userId))
+	if err != nil {
+		log.Println("ERR: Failed to list permissions from db:", err)
+		web.Error(w, "failed to get user permissions", http.StatusInternalServerError)
+		return
+	}
+
+	if len(permissions) == 0 {
+		permissions = make([]repository.Permission, 0)
+	}
+
+	encoder := json.NewEncoder(w)
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := encoder.Encode(permissions); err != nil {
+		web.Error(w, "failed to encode response", http.StatusInternalServerError)
+	}
+}

internal/admin/roles.go

@@ -0,0 +1,61 @@
+package admin
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+
+	"gitea.local/admin/hspguard/internal/repository"
+	"gitea.local/admin/hspguard/internal/web"
+)
+
+func (h *AdminHandler) GetAllRoles(w http.ResponseWriter, r *http.Request) {
+	rows, err := h.repo.GetRolesGroupedWithPermissions(r.Context())
+	if err != nil {
+		log.Println("ERR: Failed to list roles from db:", err)
+		web.Error(w, "failed to get all roles", http.StatusInternalServerError)
+		return
+	}
+
+	type RolePermissions struct {
+		Permissions []repository.Permission `json:"permissions"`
+		repository.Role
+	}
+
+	type RowDTO struct {
+		Scope string            `json:"scope"`
+		Roles []RolePermissions `json:"roles"`
+	}
+
+	if len(rows) == 0 {
+		rows = make([]repository.GetRolesGroupedWithPermissionsRow, 0)
+	}
+
+	var mapped []RowDTO
+
+	for _, row := range rows {
+		var mappedRow RowDTO
+
+		mappedRow.Scope = row.Scope
+
+		if err := json.Unmarshal(row.Roles, &mappedRow.Roles); err != nil {
+			log.Println("ERR: Failed to extract roles from byte array:", err)
+			web.Error(w, "failed to get roles", http.StatusInternalServerError)
+			return
+		}
+
+		mapped = append(mapped, mappedRow)
+	}
+
+	if len(mapped) == 0 {
+		mapped = make([]RowDTO, 0)
+	}
+
+	encoder := json.NewEncoder(w)
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := encoder.Encode(mapped); err != nil {
+		web.Error(w, "failed to encode response", http.StatusInternalServerError)
+	}
+}

internal/admin/routes.go

@@ -41,6 +41,11 @@ func (h *AdminHandler) RegisterRoutes(router chi.Router) {
 
 		r.Get("/service-sessions", h.GetServiceSessions)
 		r.Patch("/service-sessions/revoke/{id}", h.RevokeUserSession)
+
+		r.Get("/permissions", h.GetAllPermissions)
+		r.Get("/permissions/{user_id}", h.GetUserPermissions)
+
+		r.Get("/roles", h.GetAllRoles)
 	})
 
 	router.Get("/api-services/client/{client_id}", h.GetApiServiceCID)

internal/repository/models.go

@@ -25,6 +25,41 @@ type ApiService struct {
 	IconUrl      *string   `json:"icon_url"`
 }
 
+type Group struct {
+	ID          uuid.UUID `json:"id"`
+	Name        string    `json:"name"`
+	Description *string   `json:"description"`
+}
+
+type GroupPermission struct {
+	GroupID      uuid.UUID `json:"group_id"`
+	PermissionID uuid.UUID `json:"permission_id"`
+}
+
+type GroupRole struct {
+	GroupID uuid.UUID `json:"group_id"`
+	RoleID  uuid.UUID `json:"role_id"`
+}
+
+type Permission struct {
+	ID          uuid.UUID `json:"id"`
+	Name        string    `json:"name"`
+	Scope       string    `json:"scope"`
+	Description *string   `json:"description"`
+}
+
+type Role struct {
+	ID          uuid.UUID `json:"id"`
+	Name        string    `json:"name"`
+	Scope       string    `json:"scope"`
+	Description *string   `json:"description"`
+}
+
+type RolePermission struct {
+	RoleID       uuid.UUID `json:"role_id"`
+	PermissionID uuid.UUID `json:"permission_id"`
+}
+
 type ServiceSession struct {
 	ID             uuid.UUID  `json:"id"`
 	ServiceID      uuid.UUID  `json:"service_id"`
@@ -60,6 +95,21 @@ type User struct {
 	Verified       bool       `json:"verified"`
 }
 
+type UserGroup struct {
+	UserID  uuid.UUID `json:"user_id"`
+	GroupID uuid.UUID `json:"group_id"`
+}
+
+type UserPermission struct {
+	UserID       uuid.UUID `json:"user_id"`
+	PermissionID uuid.UUID `json:"permission_id"`
+}
+
+type UserRole struct {
+	UserID uuid.UUID `json:"user_id"`
+	RoleID uuid.UUID `json:"role_id"`
+}
+
 type UserSession struct {
 	ID             uuid.UUID  `json:"id"`
 	UserID         uuid.UUID  `json:"user_id"`

internal/repository/permissions.sql.go

@@ -0,0 +1,175 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: permissions.sql
+
+package repository
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+)
+
+const createPermission = `-- name: CreatePermission :one
+INSERT into permissions (
+    name, scope, description
+) VALUES (
+    $1, $2, $3
+) RETURNING id, name, scope, description
+`
+
+type CreatePermissionParams struct {
+	Name        string  `json:"name"`
+	Scope       string  `json:"scope"`
+	Description *string `json:"description"`
+}
+
+func (q *Queries) CreatePermission(ctx context.Context, arg CreatePermissionParams) (Permission, error) {
+	row := q.db.QueryRow(ctx, createPermission, arg.Name, arg.Scope, arg.Description)
+	var i Permission
+	err := row.Scan(
+		&i.ID,
+		&i.Name,
+		&i.Scope,
+		&i.Description,
+	)
+	return i, err
+}
+
+const findPermission = `-- name: FindPermission :one
+SELECT id, name, scope, description FROM permissions
+WHERE name = $1 AND scope = $2
+`
+
+type FindPermissionParams struct {
+	Name  string `json:"name"`
+	Scope string `json:"scope"`
+}
+
+func (q *Queries) FindPermission(ctx context.Context, arg FindPermissionParams) (Permission, error) {
+	row := q.db.QueryRow(ctx, findPermission, arg.Name, arg.Scope)
+	var i Permission
+	err := row.Scan(
+		&i.ID,
+		&i.Name,
+		&i.Scope,
+		&i.Description,
+	)
+	return i, err
+}
+
+const getAllPermissions = `-- name: GetAllPermissions :many
+SELECT id, name, scope, description
+FROM permissions p
+ORDER BY p.scope
+`
+
+func (q *Queries) GetAllPermissions(ctx context.Context) ([]Permission, error) {
+	rows, err := q.db.Query(ctx, getAllPermissions)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Permission
+	for rows.Next() {
+		var i Permission
+		if err := rows.Scan(
+			&i.ID,
+			&i.Name,
+			&i.Scope,
+			&i.Description,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getGroupedPermissions = `-- name: GetGroupedPermissions :many
+SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
+FROM permissions
+GROUP BY scope
+`
+
+type GetGroupedPermissionsRow struct {
+	Scope       string `json:"scope"`
+	Permissions []byte `json:"permissions"`
+}
+
+func (q *Queries) GetGroupedPermissions(ctx context.Context) ([]GetGroupedPermissionsRow, error) {
+	rows, err := q.db.Query(ctx, getGroupedPermissions)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetGroupedPermissionsRow
+	for rows.Next() {
+		var i GetGroupedPermissionsRow
+		if err := rows.Scan(&i.Scope, &i.Permissions); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getUserPermissions = `-- name: GetUserPermissions :many
+SELECT DISTINCT p.id,p.name,p.scope,p.description
+FROM permissions p
+LEFT JOIN role_permissions rp_user
+    ON p.id = rp_user.permission_id
+LEFT JOIN user_roles ur
+    ON rp_user.role_id = ur.role_id AND ur.user_id = $1
+LEFT JOIN user_groups ug
+    ON ug.user_id = $1
+LEFT JOIN group_roles gr
+    ON ug.group_id = gr.group_id
+LEFT JOIN role_permissions rp_group
+    ON gr.role_id = rp_group.role_id AND rp_group.permission_id = p.id
+LEFT JOIN user_permissions up
+    ON up.user_id = $1 AND up.permission_id = p.id
+LEFT JOIN group_permissions gp
+    ON gp.group_id = ug.group_id AND gp.permission_id = p.id
+WHERE ur.user_id IS NOT NULL
+   OR gr.group_id IS NOT NULL
+   OR up.user_id IS NOT NULL
+   OR gp.group_id IS NOT NULL
+ORDER BY p.scope
+`
+
+// From roles assigned directly to the user
+// From roles assigned to user's groups
+// Direct permissions to user
+// Direct permissions to user's groups
+func (q *Queries) GetUserPermissions(ctx context.Context, userID uuid.UUID) ([]Permission, error) {
+	rows, err := q.db.Query(ctx, getUserPermissions, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Permission
+	for rows.Next() {
+		var i Permission
+		if err := rows.Scan(
+			&i.ID,
+			&i.Name,
+			&i.Scope,
+			&i.Description,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}

internal/repository/roles.sql.go

@@ -0,0 +1,152 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: roles.sql
+
+package repository
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+)
+
+const addPermissionsToRoleByKey = `-- name: AddPermissionsToRoleByKey :exec
+INSERT INTO role_permissions (role_id, permission_id)
+SELECT
+  $1,
+  p.id
+FROM
+  permissions p
+JOIN
+  unnest($2::text[]) AS key_str
+    ON key_str = p.scope || '_' || p.name
+`
+
+type AddPermissionsToRoleByKeyParams struct {
+	RoleID         uuid.UUID `json:"role_id"`
+	PermissionKeys []string  `json:"permission_keys"`
+}
+
+func (q *Queries) AddPermissionsToRoleByKey(ctx context.Context, arg AddPermissionsToRoleByKeyParams) error {
+	_, err := q.db.Exec(ctx, addPermissionsToRoleByKey, arg.RoleID, arg.PermissionKeys)
+	return err
+}
+
+const createRole = `-- name: CreateRole :one
+INSERT INTO roles (name, scope, description)
+VALUES ($1, $2, $3)
+RETURNING id, name, scope, description
+`
+
+type CreateRoleParams struct {
+	Name        string  `json:"name"`
+	Scope       string  `json:"scope"`
+	Description *string `json:"description"`
+}
+
+func (q *Queries) CreateRole(ctx context.Context, arg CreateRoleParams) (Role, error) {
+	row := q.db.QueryRow(ctx, createRole, arg.Name, arg.Scope, arg.Description)
+	var i Role
+	err := row.Scan(
+		&i.ID,
+		&i.Name,
+		&i.Scope,
+		&i.Description,
+	)
+	return i, err
+}
+
+const findRole = `-- name: FindRole :one
+SELECT id, name, scope, description
+FROM roles
+WHERE scope = $1 AND name = $2
+`
+
+type FindRoleParams struct {
+	Scope string `json:"scope"`
+	Name  string `json:"name"`
+}
+
+func (q *Queries) FindRole(ctx context.Context, arg FindRoleParams) (Role, error) {
+	row := q.db.QueryRow(ctx, findRole, arg.Scope, arg.Name)
+	var i Role
+	err := row.Scan(
+		&i.ID,
+		&i.Name,
+		&i.Scope,
+		&i.Description,
+	)
+	return i, err
+}
+
+const getRolesGroupedWithPermissions = `-- name: GetRolesGroupedWithPermissions :many
+SELECT
+    r.scope,
+    json_agg (
+        json_build_object (
+            'id',
+            r.id,
+            'name',
+            r.name,
+            'description',
+            r.description,
+            'permissions',
+            COALESCE(p_list.permissions, '[]')
+        )
+        ORDER BY
+            r.name
+    ) AS roles
+FROM
+    roles r
+    LEFT JOIN (
+        SELECT
+            rp.role_id,
+            json_agg (
+                json_build_object (
+                    'id',
+                    p.id,
+                    'name',
+                    p.name,
+                    'scope',
+                    p.scope,
+                    'description',
+                    p.description
+                )
+                ORDER BY
+                    p.name
+            ) AS permissions
+        FROM
+            role_permissions rp
+            JOIN permissions p ON p.id = rp.permission_id
+        GROUP BY
+            rp.role_id
+    ) p_list ON p_list.role_id = r.id
+GROUP BY
+    r.scope
+`
+
+type GetRolesGroupedWithPermissionsRow struct {
+	Scope string `json:"scope"`
+	Roles []byte `json:"roles"`
+}
+
+func (q *Queries) GetRolesGroupedWithPermissions(ctx context.Context) ([]GetRolesGroupedWithPermissionsRow, error) {
+	rows, err := q.db.Query(ctx, getRolesGroupedWithPermissions)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetRolesGroupedWithPermissionsRow
+	for rows.Next() {
+		var i GetRolesGroupedWithPermissionsRow
+		if err := rows.Scan(&i.Scope, &i.Roles); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}

internal/user/permissions.go

@@ -0,0 +1,212 @@
+package user
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"gitea.local/admin/hspguard/internal/repository"
+)
+
+func String(s string) *string {
+	return &s
+}
+
+type RolePermissions struct {
+	Permissions []string `json:"permissions"`
+	repository.Role
+}
+
+var (
+	SYSTEM_SCOPE       string                  = "system"
+	SYSTEM_PERMISSIONS []repository.Permission = []repository.Permission{
+		{
+			Name:        "log_into_guard",
+			Description: String("Allow users to log into their accounts"),
+		},
+		{
+			Name:        "register",
+			Description: String("Allow users to register new accounts"),
+		},
+		{
+			Name:        "edit_profile",
+			Description: String("Allow users to edit their profiles"),
+		},
+		{
+			Name:        "recover_credentials",
+			Description: String("Allow users to recover their password/email"),
+		},
+		{
+			Name:        "verify_profile",
+			Description: String("Allow users to verify their accounts"),
+		},
+		{
+			Name:        "access_home_services",
+			Description: String("Allow users to access home services and tools"),
+		},
+		{
+			Name:        "view_sessions",
+			Description: String("Allow users to view their active sessions"),
+		},
+		{
+			Name:        "revoke_sessions",
+			Description: String("Allow users to revoke their active sessions"),
+		},
+		{
+			Name:        "view_api_services",
+			Description: String("Allow users to view API Services (for admin)"),
+		},
+		{
+			Name:        "add_api_services",
+			Description: String("Allow users to register new API Services (for admin)"),
+		},
+		{
+			Name:        "edit_api_services",
+			Description: String("Allow users to edit API Services (for admin)"),
+		},
+		{
+			Name:        "remove_api_services",
+			Description: String("Allow users to remove API Services (for admin)"),
+		},
+		{
+			Name:        "view_users",
+			Description: String("Allow users to view other users (for admin)"),
+		},
+		{
+			Name:        "add_users",
+			Description: String("Allow users to create new users (for admin)"),
+		},
+		// TODO: block, delete users
+		{
+			Name:        "view_user_sessions",
+			Description: String("Allow users to view user sessions (for admin)"),
+		},
+		{
+			Name:        "revoke_user_sessions",
+			Description: String("Allow users to revoke user sessions (for admin)"),
+		},
+		{
+			Name:        "view_service_sessions",
+			Description: String("Allow users to view service sessions (for admin)"),
+		},
+		{
+			Name:        "revoke_service_sessions",
+			Description: String("Allow users to revoke service sessions (for admin)"),
+		},
+		{
+			Name:        "view_permissions",
+			Description: String("Allow users to view all permissions (for admin)"),
+		},
+		{
+			Name:        "view_roles_groups",
+			Description: String("Allow users to view roles & groups (for admin)"),
+		},
+	}
+	SYSTEM_ROLES []RolePermissions = []RolePermissions{
+		{
+			Permissions: []string{
+				"system_log_into_guard",
+				"system_register",
+				"system_edit_profile",
+				"system_recover_credentials",
+				"system_verify_profile",
+				"system_access_home_services",
+				"system_view_sessions",
+				"system_revoke_sessions",
+				"system_view_api_services",
+				"system_add_api_services",
+				"system_edit_api_services",
+				"system_remove_api_services",
+				"system_view_users",
+				"system_add_users",
+				"system_view_user_sessions",
+				"system_revoke_user_sessions",
+				"system_view_service_sessions",
+				"system_revoke_service_sessions",
+				"system_view_permissions",
+				"system_view_roles_groups",
+			},
+			Role: repository.Role{
+				Name:        "admin",
+				Description: String("User with full power"),
+			},
+		},
+		{
+			Permissions: []string{
+				"system_log_into_guard",
+				"system_register",
+				"system_edit_profile",
+				"system_recover_credentials",
+				"system_verify_profile",
+				"system_access_home_services",
+				"system_view_sessions",
+				"system_revoke_sessions",
+			},
+			Role: repository.Role{
+				Name:        "family_member",
+				Description: String("User that is able to use home services"),
+			},
+		},
+		{
+			Permissions: []string{
+				"system_log_into_guard",
+				"system_register",
+			},
+			Role: repository.Role{
+				Name:        "guest",
+				Description: String("New user that needs approve for everything from admin"),
+			},
+		},
+	}
+)
+
+func EnsureSystemPermissions(ctx context.Context, repo *repository.Queries) {
+	for _, permission := range SYSTEM_PERMISSIONS {
+		_, err := repo.FindPermission(ctx, repository.FindPermissionParams{
+			Name:  permission.Name,
+			Scope: SYSTEM_SCOPE,
+		})
+		if err != nil {
+			log.Printf("INFO: Creating SYSTEM permission: '%s'\n", permission.Name)
+			_, err = repo.CreatePermission(ctx, repository.CreatePermissionParams{
+				Name:        permission.Name,
+				Scope:       SYSTEM_SCOPE,
+				Description: permission.Description,
+			})
+			if err != nil {
+				log.Fatalf("ERR: Failed to create SYSTEM permission: '%s'\n", permission.Name)
+			}
+		}
+	}
+
+	for _, role := range SYSTEM_ROLES {
+		found, err := repo.FindRole(ctx, repository.FindRoleParams{
+			Scope: SYSTEM_SCOPE,
+			Name:  role.Name,
+		})
+		if err != nil {
+			log.Printf("INFO: Create new SYSTEM role '%s'\n", role.Name)
+			found, err = repo.CreateRole(ctx, repository.CreateRoleParams{
+				Name:        role.Name,
+				Scope:       SYSTEM_SCOPE,
+				Description: role.Description,
+			})
+			if err != nil {
+				log.Fatalf("ERR: Failed to create SYSTEM role '%s': %v\n", role.Name, err)
+			}
+		}
+
+		var mappedPerms []string
+
+		for _, perm := range role.Permissions {
+			mappedPerms = append(mappedPerms, fmt.Sprintf("%s_%s", SYSTEM_SCOPE, perm))
+		}
+
+		if err := repo.AddPermissionsToRoleByKey(ctx, repository.AddPermissionsToRoleByKeyParams{
+			RoleID:         found.ID,
+			PermissionKeys: mappedPerms,
+		}); err != nil {
+			log.Fatalf("ERR: Failed to assign required permissions to SYSTEM role %s: %v\n", found.Name, err)
+		}
+	}
+}

migrations/00013_add_group_role_permission.sql

@@ -0,0 +1,91 @@
+-- +goose Up
+-- +goose StatementBegin
+-- GROUPS
+CREATE TABLE groups (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
+    name TEXT NOT NULL UNIQUE,
+    description TEXT
+);
+
+-- ROLES
+CREATE TABLE roles (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
+    name TEXT NOT NULL,
+    scope TEXT NOT NULL,
+    description TEXT,
+    UNIQUE (name, scope)
+);
+
+-- PERMISSIONS
+CREATE TABLE permissions (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
+    name TEXT NOT NULL,
+    scope TEXT NOT NULL,
+    description TEXT,
+    UNIQUE (name, scope)
+);
+
+-- USER-GROUPS (many-to-many)
+CREATE TABLE user_groups (
+    user_id UUID REFERENCES users (id) ON DELETE CASCADE,
+    group_id UUID REFERENCES groups (id) ON DELETE CASCADE,
+    PRIMARY KEY (user_id, group_id)
+);
+
+-- GROUP-ROLES (many-to-many)
+CREATE TABLE group_roles (
+    group_id UUID REFERENCES groups (id) ON DELETE CASCADE,
+    role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
+    PRIMARY KEY (group_id, role_id)
+);
+
+-- ROLE-PERMISSIONS (many-to-many)
+CREATE TABLE role_permissions (
+    role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
+    permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
+    PRIMARY KEY (role_id, permission_id)
+);
+
+-- USER-ROLES (direct assignment, optional)
+CREATE TABLE user_roles (
+    user_id UUID REFERENCES users (id) ON DELETE CASCADE,
+    role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
+    PRIMARY KEY (user_id, role_id)
+);
+
+-- USER-PERMISSIONS (direct assignment, optional)
+CREATE TABLE user_permissions (
+    user_id UUID REFERENCES users (id) ON DELETE CASCADE,
+    permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
+    PRIMARY KEY (user_id, permission_id)
+);
+
+-- GROUP-PERMISSIONS (direct on group, optional)
+CREATE TABLE group_permissions (
+    group_id UUID REFERENCES groups (id) ON DELETE CASCADE,
+    permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
+    PRIMARY KEY (group_id, permission_id)
+);
+
+-- +goose StatementEnd
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS group_permissions;
+
+DROP TABLE IF EXISTS user_permissions;
+
+DROP TABLE IF EXISTS user_roles;
+
+DROP TABLE IF EXISTS role_permissions;
+
+DROP TABLE IF EXISTS group_roles;
+
+DROP TABLE IF EXISTS user_groups;
+
+DROP TABLE IF EXISTS permissions;
+
+DROP TABLE IF EXISTS roles;
+
+DROP TABLE IF EXISTS groups;
+
+-- +goose StatementEnd

queries/permissions.sql

@@ -0,0 +1,48 @@
+
+-- name: GetAllPermissions :many
+SELECT *
+FROM permissions p
+ORDER BY p.scope;
+
+-- name: GetGroupedPermissions :many
+SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
+FROM permissions
+GROUP BY scope;
+
+-- name: CreatePermission :one
+INSERT into permissions (
+    name, scope, description
+) VALUES (
+    $1, $2, $3
+) RETURNING *;
+
+-- name: FindPermission :one
+SELECT * FROM permissions
+WHERE name = $1 AND scope = $2;
+
+-- name: GetUserPermissions :many
+SELECT DISTINCT p.id,p.name,p.scope,p.description
+FROM permissions p
+-- From roles assigned directly to the user
+LEFT JOIN role_permissions rp_user
+    ON p.id = rp_user.permission_id
+LEFT JOIN user_roles ur
+    ON rp_user.role_id = ur.role_id AND ur.user_id = $1
+-- From roles assigned to user's groups
+LEFT JOIN user_groups ug
+    ON ug.user_id = $1
+LEFT JOIN group_roles gr
+    ON ug.group_id = gr.group_id
+LEFT JOIN role_permissions rp_group
+    ON gr.role_id = rp_group.role_id AND rp_group.permission_id = p.id
+-- Direct permissions to user
+LEFT JOIN user_permissions up
+    ON up.user_id = $1 AND up.permission_id = p.id
+-- Direct permissions to user's groups
+LEFT JOIN group_permissions gp
+    ON gp.group_id = ug.group_id AND gp.permission_id = p.id
+WHERE ur.user_id IS NOT NULL
+   OR gr.group_id IS NOT NULL
+   OR up.user_id IS NOT NULL
+   OR gp.group_id IS NOT NULL
+ORDER BY p.scope;

queries/roles.sql

@@ -0,0 +1,65 @@
+-- name: FindRole :one
+SELECT *
+FROM roles
+WHERE scope = $1 AND name = $2;
+
+-- name: GetRolesGroupedWithPermissions :many
+SELECT
+    r.scope,
+    json_agg (
+        json_build_object (
+            'id',
+            r.id,
+            'name',
+            r.name,
+            'description',
+            r.description,
+            'permissions',
+            COALESCE(p_list.permissions, '[]')
+        )
+        ORDER BY
+            r.name
+    ) AS roles
+FROM
+    roles r
+    LEFT JOIN (
+        SELECT
+            rp.role_id,
+            json_agg (
+                json_build_object (
+                    'id',
+                    p.id,
+                    'name',
+                    p.name,
+                    'scope',
+                    p.scope,
+                    'description',
+                    p.description
+                )
+                ORDER BY
+                    p.name
+            ) AS permissions
+        FROM
+            role_permissions rp
+            JOIN permissions p ON p.id = rp.permission_id
+        GROUP BY
+            rp.role_id
+    ) p_list ON p_list.role_id = r.id
+GROUP BY
+    r.scope;
+
+-- name: CreateRole :one
+INSERT INTO roles (name, scope, description)
+VALUES ($1, $2, $3)
+RETURNING *;
+
+-- name: AddPermissionsToRoleByKey :exec
+INSERT INTO role_permissions (role_id, permission_id)
+SELECT
+  sqlc.arg(role_id),
+  p.id
+FROM
+  permissions p
+JOIN
+  unnest(sqlc.arg(permission_keys)::text[]) AS key_str
+    ON key_str = p.scope || '_' || p.name;

web/src/App.tsx

@@ -27,6 +27,8 @@ import VerifyAvatarPage from "./pages/Verify/Avatar";
 import VerifyReviewPage from "./pages/Verify/Review";
 import AdminUserSessionsPage from "./pages/Admin/UserSessions";
 import AdminServiceSessionsPage from "./pages/Admin/ServiceSessions";
+import AdminAppPermissionsPage from "./pages/Admin/AppPermissions";
+import AdminRolesGroupsPage from "./pages/Admin/RolesGroups";
 
 const router = createBrowserRouter([
   {
@@ -93,6 +95,16 @@ const router = createBrowserRouter([
                   { index: true, element: <AdminServiceSessionsPage /> },
                 ],
               },
+              {
+                path: "app-permissions",
+                children: [
+                  { index: true, element: <AdminAppPermissionsPage /> },
+                ],
+              },
+              {
+                path: "roles-groups",
+                children: [{ index: true, element: <AdminRolesGroupsPage /> }],
+              },
             ],
           },
         ],

web/src/api/admin/permissions.ts

@@ -0,0 +1,34 @@
+import type { AppPermission } from "@/types";
+import { axios, handleApiError } from "..";
+
+export type FetchPermissionsResponse = AppPermission[];
+
+export const getUserPermissionsApi = async (
+  userId: string,
+): Promise<FetchPermissionsResponse> => {
+  const response = await axios.get<FetchPermissionsResponse>(
+    `/api/v1/admin/permissions/${userId}`,
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+
+  return response.data;
+};
+
+export type FetchGroupedPermissionsResponse = {
+  scope: string;
+  permissions: AppPermission[];
+}[];
+
+export const getPermissionsApi =
+  async (): Promise<FetchGroupedPermissionsResponse> => {
+    const response = await axios.get<FetchGroupedPermissionsResponse>(
+      "/api/v1/admin/permissions",
+    );
+
+    if (response.status !== 200 && response.status !== 201)
+      throw await handleApiError(response);
+
+    return response.data;
+  };

web/src/api/admin/roles.ts

@@ -0,0 +1,20 @@
+import type { AppPermission, AppRole } from "@/types";
+import { axios, handleApiError } from "..";
+
+export type FetchGroupedRolesResponse = {
+  scope: string;
+  roles: (AppRole & {
+    permissions: AppPermission[];
+  })[];
+}[];
+
+export const getRolesApi = async (): Promise<FetchGroupedRolesResponse> => {
+  const response = await axios.get<FetchGroupedRolesResponse>(
+    "/api/v1/admin/roles",
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+
+  return response.data;
+};

web/src/hooks/barItems.tsx

@@ -1,5 +1,14 @@
 import { useAuth } from "@/store/auth";
-import { Blocks, EarthLock, Home, User, UserLock, Users } from "lucide-react";
+import {
+  Blocks,
+  ContactRound,
+  EarthLock,
+  Home,
+  KeyRound,
+  User,
+  UserLock,
+  Users,
+} from "lucide-react";
 import { useCallback, type ReactNode } from "react";
 import { useLocation } from "react-router";
 
@@ -93,6 +102,18 @@ export const useBarItems = (): [Item[], (item: Item) => boolean] => {
               tab: "admin.service-sessions",
               pathname: "/admin/service-sessions",
             },
+            {
+              icon: <KeyRound />,
+              title: "App Permissions",
+              tab: "admin.app-permissions",
+              pathname: "/admin/app-permissions",
+            },
+            {
+              icon: <ContactRound />,
+              title: "Roles & Groups",
+              tab: "admin.roles-groups",
+              pathname: "/admin/roles-groups",
+            },
           ]
         : []),
     ],

web/src/pages/Admin/AppPermissions/index.tsx

@@ -0,0 +1,130 @@
+import { useEffect, type FC } from "react";
+import Breadcrumbs from "@/components/ui/breadcrumbs";
+import { usePermissions } from "@/store/admin/permissions";
+
+interface DisplayPermission {
+  name: string;
+  description: string;
+}
+
+interface IPermissionGroupProps {
+  scope: string;
+  permissions?: DisplayPermission[] | null | undefined;
+  generatedPermissions?: DisplayPermission[] | null | undefined;
+}
+
+const PermissionGroup: FC<IPermissionGroupProps> = ({
+  scope,
+  permissions,
+  generatedPermissions,
+}) => {
+  return (
+    <div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
+      <h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold">
+        {scope}
+      </h2>
+
+      {(generatedPermissions?.length ?? 0) > 0 && (
+        <>
+          <p className="text-gray-500 text-sm mt-2 mb-4">Generated by Guard</p>
+
+          <ol
+            className={`grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium mb-${permissions && permissions.length > 0 ? "6" : "2"}`}
+          >
+            {generatedPermissions!.map(({ name, description }) => (
+              <li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
+                <div className="flex flex-col gap-1">
+                  <label>{name}</label>
+                  <p className="text-xs text-gray-400 dark:text-gray-500">
+                    {description}
+                  </p>
+                </div>
+              </li>
+            ))}
+          </ol>
+        </>
+      )}
+
+      {(permissions?.length ?? 0) > 0 && (
+        <>
+          <p className="text-gray-500 text-sm mt-2 mb-4">Manually Created</p>
+
+          <ol className="grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
+            {permissions!.map(({ name, description }) => (
+              <li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
+                <div className="flex flex-col gap-1">
+                  <label>{name}</label>
+                  <p className="text-xs text-gray-400 dark:text-gray-500">
+                    {description}
+                  </p>
+                </div>
+              </li>
+            ))}
+          </ol>
+        </>
+      )}
+    </div>
+  );
+};
+
+const AdminAppPermissionsPage: FC = () => {
+  const permissions = usePermissions((s) => s.permissions);
+  const fetch = usePermissions((s) => s.fetch);
+
+  useEffect(() => {
+    fetch();
+  }, [fetch]);
+
+  return (
+    <div className="relative flex flex-col items-stretch w-full">
+      <div className="p-4">
+        <Breadcrumbs
+          className="pb-2"
+          items={[
+            {
+              href: "/admin",
+              label: "Admin",
+            },
+            {
+              label: "App Permissions",
+            },
+          ]}
+        />
+      </div>
+      <div className="px-7">
+        {Object.keys(permissions).map((scope) => (
+          <PermissionGroup
+            scope={scope.toUpperCase()}
+            generatedPermissions={permissions[scope].map((p) => ({
+              name: p.name
+                .split("_")
+                .map((s) => s[0].toUpperCase() + s.slice(1))
+                .join(" "),
+              description: p.description,
+            }))}
+          />
+        ))}
+        {/* <PermissionGroup
+          scope="Open Chat"
+          generatedPermissions={["Access Open Chat"].map((name) => ({
+            name,
+            description: `You can ${name.toLowerCase()}`,
+          }))}
+          permissions={[
+            "Receive Messages",
+            "Send Messages",
+            "View Status",
+            "Post Status",
+            "Use Ghost Mode",
+            "Send Large Media",
+          ].map((name) => ({
+            name,
+            description: `You can ${name.toLowerCase()}`,
+          }))}
+        /> */}
+      </div>
+    </div>
+  );
+};
+
+export default AdminAppPermissionsPage;

web/src/pages/Admin/RolesGroups/index.tsx

@@ -0,0 +1,66 @@
+import { useEffect, type FC } from "react";
+import Breadcrumbs from "@/components/ui/breadcrumbs";
+import { getRolesApi } from "@/api/admin/roles";
+
+interface DisplayRole {
+  name: string;
+  description: string;
+}
+
+interface IPermissionGroupProps {
+  scope: string;
+  roles?: DisplayRole[] | null | undefined;
+}
+
+const RolesGroup: FC<IPermissionGroupProps> = ({ scope, roles }) => {
+  return (
+    <div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
+      <h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold">
+        {scope}
+      </h2>
+
+      {(roles?.length ?? 0) > 0 && (
+        <ol className="grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
+          {roles!.map(({ name, description }) => (
+            <li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
+              <div className="flex flex-col gap-1">
+                <label>{name}</label>
+                <p className="text-xs text-gray-400 dark:text-gray-500">
+                  {description}
+                </p>
+              </div>
+            </li>
+          ))}
+        </ol>
+      )}
+    </div>
+  );
+};
+
+const AdminRolesGroupsPage: FC = () => {
+  useEffect(() => {
+    getRolesApi().then((res) => console.log("roles:", res));
+  }, []);
+
+  return (
+    <div className="relative flex flex-col items-stretch w-full">
+      <div className="p-4">
+        <Breadcrumbs
+          className="pb-2"
+          items={[
+            {
+              href: "/admin",
+              label: "Admin",
+            },
+            {
+              label: "Roles & Groups",
+            },
+          ]}
+        />
+      </div>
+      <div className="px-7"></div>
+    </div>
+  );
+};
+
+export default AdminRolesGroupsPage;

web/src/pages/Admin/Users/View/index.tsx

@@ -25,6 +25,7 @@ const InfoCard = ({
 const AdminViewUserPage: FC = () => {
   const { userId } = useParams();
   const user = useUsers((state) => state.current);
+  const userPermissions = useUsers((s) => s.userPermissions);
   // const loading = useApiServices((state) => state.fetchingApiService);
 
   const loadUser = useUsers((state) => state.fetchUser);
@@ -117,6 +118,10 @@ const AdminViewUserPage: FC = () => {
           </div>
         </InfoCard>
 
+        <InfoCard title="Roles & Permissions">
+          <pre>{JSON.stringify(userPermissions, null, 2)}</pre>
+        </InfoCard>
+
         {/* 🚀 Actions */}
         <div className="flex flex-wrap gap-4 mt-6 justify-between items-center">
           <Link to="/admin/users">

web/src/pages/Authorize/index.tsx

@@ -76,21 +76,21 @@ const AuthorizePage: FC = () => {
                 <div className="text-gray-400 dark:text-gray-600">
                   <ArrowLeftRight />
                 </div>
-                <div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500">
-                  {/* <img
+                {/* <div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500"> */}
+                {/* <img
                     src="https://lucide.dev/logo.dark.svg"
                     className="w-8 h-8"
                   /> */}
-                  {apiService?.icon_url ? (
-                    <img
-                      src={apiService.icon_url}
-                      className="w-full h-full"
-                      alt="service_icon"
-                    />
-                  ) : (
-                    <LayoutDashboard size={32} color="#fefefe" />
-                  )}
-                </div>
+                {apiService?.icon_url ? (
+                  <img
+                    src={apiService.icon_url}
+                    className="w-12 h-12"
+                    alt="service_icon"
+                  />
+                ) : (
+                  <LayoutDashboard size={32} color="#fefefe" />
+                )}
+                {/* </div> */}
               </div>
 
               <div className="px-4 sm:mt-4 mt-8">

web/src/store/admin/permissions.ts

@@ -0,0 +1,32 @@
+import { getPermissionsApi } from "@/api/admin/permissions";
+import type { AppPermission } from "@/types";
+import { create } from "zustand";
+
+export interface IAdminPermissionsState {
+  permissions: Record<string, AppPermission[]>;
+  fetching: boolean;
+
+  fetch: () => Promise<void>;
+}
+
+export const usePermissions = create<IAdminPermissionsState>((set) => ({
+  permissions: {},
+  fetching: false,
+
+  fetch: async () => {
+    set({ fetching: true });
+
+    try {
+      const response = await getPermissionsApi();
+      set({
+        permissions: Object.fromEntries(
+          response.map(({ scope, permissions }) => [scope, permissions]),
+        ),
+      });
+    } catch (err) {
+      console.log("ERR: Failed to fetch admin permissions:", err);
+    } finally {
+      set({ fetching: false });
+    }
+  },
+}));

web/src/store/admin/users.ts

@@ -1,10 +1,11 @@
+import { getUserPermissionsApi } from "@/api/admin/permissions";
 import {
   adminGetUserApi,
   adminGetUsersApi,
   postUser,
   type CreateUserRequest,
 } from "@/api/admin/users";
-import type { UserProfile } from "@/types";
+import type { AppPermission, UserProfile } from "@/types";
 import { create } from "zustand";
 
 export interface IUsersState {
@@ -14,14 +15,18 @@ export interface IUsersState {
   current: UserProfile | null;
   fetchingCurrent: boolean;
 
+  userPermissions: AppPermission[];
+  fetchingPermissions: boolean;
+
   creating: boolean;
   createUser: (req: CreateUserRequest) => Promise<boolean>;
 
   fetchUsers: () => Promise<void>;
   fetchUser: (id: string) => Promise<void>;
+  fetchUserPermissions: () => Promise<void>;
 }
 
-export const useUsers = create<IUsersState>((set) => ({
+export const useUsers = create<IUsersState>((set, get) => ({
   users: [],
   fetching: false,
 
@@ -30,6 +35,9 @@ export const useUsers = create<IUsersState>((set) => ({
   current: null,
   fetchingCurrent: false,
 
+  userPermissions: [],
+  fetchingPermissions: false,
+
   createUser: async (req: CreateUserRequest) => {
     set({ creating: true });
 
@@ -70,4 +78,23 @@ export const useUsers = create<IUsersState>((set) => ({
       set({ fetchingCurrent: false });
     }
   },
+
+  fetchUserPermissions: async () => {
+    const user = get().current;
+    if (!user) {
+      console.warn("Trying to fetch user permissions without selected user");
+      return;
+    }
+
+    set({ fetchingPermissions: true });
+
+    try {
+      const response = await getUserPermissionsApi(user.id);
+      set({ userPermissions: response });
+    } catch (err) {
+      console.log("ERR: Failed to fetch single user for admin:", err);
+    } finally {
+      set({ fetchingPermissions: false });
+    }
+  },
 }));

web/src/types/index.ts

@@ -78,3 +78,17 @@ export interface DeviceInfo {
   browser: string;
   browser_version: string;
 }
+
+export interface AppPermission {
+  id: string;
+  name: string;
+  scope: string;
+  description: string;
+}
+
+export interface AppRole {
+  id: string;
+  name: string;
+  scope: string;
+  description: string;
+}