feat: roles API + type def

LICENSE

@@ -1,373 +0,0 @@
-Mozilla Public License Version 2.0
-==================================
-
-1. Definitions
---------------
-
-1.1. "Contributor"
-    means each individual or legal entity that creates, contributes to
-    the creation of, or owns Covered Software.
-
-1.2. "Contributor Version"
-    means the combination of the Contributions of others (if any) used
-    by a Contributor and that particular Contributor's Contribution.
-
-1.3. "Contribution"
-    means Covered Software of a particular Contributor.
-
-1.4. "Covered Software"
-    means Source Code Form to which the initial Contributor has attached
-    the notice in Exhibit A, the Executable Form of such Source Code
-    Form, and Modifications of such Source Code Form, in each case
-    including portions thereof.
-
-1.5. "Incompatible With Secondary Licenses"
-    means
-
-    (a) that the initial Contributor has attached the notice described
-        in Exhibit B to the Covered Software; or
-
-    (b) that the Covered Software was made available under the terms of
-        version 1.1 or earlier of the License, but not also under the
-        terms of a Secondary License.
-
-1.6. "Executable Form"
-    means any form of the work other than Source Code Form.
-
-1.7. "Larger Work"
-    means a work that combines Covered Software with other material, in
-    a separate file or files, that is not Covered Software.
-
-1.8. "License"
-    means this document.
-
-1.9. "Licensable"
-    means having the right to grant, to the maximum extent possible,
-    whether at the time of the initial grant or subsequently, any and
-    all of the rights conveyed by this License.
-
-1.10. "Modifications"
-    means any of the following:
-
-    (a) any file in Source Code Form that results from an addition to,
-        deletion from, or modification of the contents of Covered
-        Software; or
-
-    (b) any new file in Source Code Form that contains any Covered
-        Software.
-
-1.11. "Patent Claims" of a Contributor
-    means any patent claim(s), including without limitation, method,
-    process, and apparatus claims, in any patent Licensable by such
-    Contributor that would be infringed, but for the grant of the
-    License, by the making, using, selling, offering for sale, having
-    made, import, or transfer of either its Contributions or its
-    Contributor Version.
-
-1.12. "Secondary License"
-    means either the GNU General Public License, Version 2.0, the GNU
-    Lesser General Public License, Version 2.1, the GNU Affero General
-    Public License, Version 3.0, or any later versions of those
-    licenses.
-
-1.13. "Source Code Form"
-    means the form of the work preferred for making modifications.
-
-1.14. "You" (or "Your")
-    means an individual or a legal entity exercising rights under this
-    License. For legal entities, "You" includes any entity that
-    controls, is controlled by, or is under common control with You. For
-    purposes of this definition, "control" means (a) the power, direct
-    or indirect, to cause the direction or management of such entity,
-    whether by contract or otherwise, or (b) ownership of more than
-    fifty percent (50%) of the outstanding shares or beneficial
-    ownership of such entity.
-
-2. License Grants and Conditions
---------------------------------
-
-2.1. Grants
-
-Each Contributor hereby grants You a world-wide, royalty-free,
-non-exclusive license:
-
-(a) under intellectual property rights (other than patent or trademark)
-    Licensable by such Contributor to use, reproduce, make available,
-    modify, display, perform, distribute, and otherwise exploit its
-    Contributions, either on an unmodified basis, with Modifications, or
-    as part of a Larger Work; and
-
-(b) under Patent Claims of such Contributor to make, use, sell, offer
-    for sale, have made, import, and otherwise transfer either its
-    Contributions or its Contributor Version.
-
-2.2. Effective Date
-
-The licenses granted in Section 2.1 with respect to any Contribution
-become effective for each Contribution on the date the Contributor first
-distributes such Contribution.
-
-2.3. Limitations on Grant Scope
-
-The licenses granted in this Section 2 are the only rights granted under
-this License. No additional rights or licenses will be implied from the
-distribution or licensing of Covered Software under this License.
-Notwithstanding Section 2.1(b) above, no patent license is granted by a
-Contributor:
-
-(a) for any code that a Contributor has removed from Covered Software;
-    or
-
-(b) for infringements caused by: (i) Your and any other third party's
-    modifications of Covered Software, or (ii) the combination of its
-    Contributions with other software (except as part of its Contributor
-    Version); or
-
-(c) under Patent Claims infringed by Covered Software in the absence of
-    its Contributions.
-
-This License does not grant any rights in the trademarks, service marks,
-or logos of any Contributor (except as may be necessary to comply with
-the notice requirements in Section 3.4).
-
-2.4. Subsequent Licenses
-
-No Contributor makes additional grants as a result of Your choice to
-distribute the Covered Software under a subsequent version of this
-License (see Section 10.2) or under the terms of a Secondary License (if
-permitted under the terms of Section 3.3).
-
-2.5. Representation
-
-Each Contributor represents that the Contributor believes its
-Contributions are its original creation(s) or it has sufficient rights
-to grant the rights to its Contributions conveyed by this License.
-
-2.6. Fair Use
-
-This License is not intended to limit any rights You have under
-applicable copyright doctrines of fair use, fair dealing, or other
-equivalents.
-
-2.7. Conditions
-
-Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
-in Section 2.1.
-
-3. Responsibilities
--------------------
-
-3.1. Distribution of Source Form
-
-All distribution of Covered Software in Source Code Form, including any
-Modifications that You create or to which You contribute, must be under
-the terms of this License. You must inform recipients that the Source
-Code Form of the Covered Software is governed by the terms of this
-License, and how they can obtain a copy of this License. You may not
-attempt to alter or restrict the recipients' rights in the Source Code
-Form.
-
-3.2. Distribution of Executable Form
-
-If You distribute Covered Software in Executable Form then:
-
-(a) such Covered Software must also be made available in Source Code
-    Form, as described in Section 3.1, and You must inform recipients of
-    the Executable Form how they can obtain a copy of such Source Code
-    Form by reasonable means in a timely manner, at a charge no more
-    than the cost of distribution to the recipient; and
-
-(b) You may distribute such Executable Form under the terms of this
-    License, or sublicense it under different terms, provided that the
-    license for the Executable Form does not attempt to limit or alter
-    the recipients' rights in the Source Code Form under this License.
-
-3.3. Distribution of a Larger Work
-
-You may create and distribute a Larger Work under terms of Your choice,
-provided that You also comply with the requirements of this License for
-the Covered Software. If the Larger Work is a combination of Covered
-Software with a work governed by one or more Secondary Licenses, and the
-Covered Software is not Incompatible With Secondary Licenses, this
-License permits You to additionally distribute such Covered Software
-under the terms of such Secondary License(s), so that the recipient of
-the Larger Work may, at their option, further distribute the Covered
-Software under the terms of either this License or such Secondary
-License(s).
-
-3.4. Notices
-
-You may not remove or alter the substance of any license notices
-(including copyright notices, patent notices, disclaimers of warranty,
-or limitations of liability) contained within the Source Code Form of
-the Covered Software, except that You may alter any license notices to
-the extent required to remedy known factual inaccuracies.
-
-3.5. Application of Additional Terms
-
-You may choose to offer, and to charge a fee for, warranty, support,
-indemnity or liability obligations to one or more recipients of Covered
-Software. However, You may do so only on Your own behalf, and not on
-behalf of any Contributor. You must make it absolutely clear that any
-such warranty, support, indemnity, or liability obligation is offered by
-You alone, and You hereby agree to indemnify every Contributor for any
-liability incurred by such Contributor as a result of warranty, support,
-indemnity or liability terms You offer. You may include additional
-disclaimers of warranty and limitations of liability specific to any
-jurisdiction.
-
-4. Inability to Comply Due to Statute or Regulation
----------------------------------------------------
-
-If it is impossible for You to comply with any of the terms of this
-License with respect to some or all of the Covered Software due to
-statute, judicial order, or regulation then You must: (a) comply with
-the terms of this License to the maximum extent possible; and (b)
-describe the limitations and the code they affect. Such description must
-be placed in a text file included with all distributions of the Covered
-Software under this License. Except to the extent prohibited by statute
-or regulation, such description must be sufficiently detailed for a
-recipient of ordinary skill to be able to understand it.
-
-5. Termination
---------------
-
-5.1. The rights granted under this License will terminate automatically
-if You fail to comply with any of its terms. However, if You become
-compliant, then the rights granted under this License from a particular
-Contributor are reinstated (a) provisionally, unless and until such
-Contributor explicitly and finally terminates Your grants, and (b) on an
-ongoing basis, if such Contributor fails to notify You of the
-non-compliance by some reasonable means prior to 60 days after You have
-come back into compliance. Moreover, Your grants from a particular
-Contributor are reinstated on an ongoing basis if such Contributor
-notifies You of the non-compliance by some reasonable means, this is the
-first time You have received notice of non-compliance with this License
-from such Contributor, and You become compliant prior to 30 days after
-Your receipt of the notice.
-
-5.2. If You initiate litigation against any entity by asserting a patent
-infringement claim (excluding declaratory judgment actions,
-counter-claims, and cross-claims) alleging that a Contributor Version
-directly or indirectly infringes any patent, then the rights granted to
-You by any and all Contributors for the Covered Software under Section
-2.1 of this License shall terminate.
-
-5.3. In the event of termination under Sections 5.1 or 5.2 above, all
-end user license agreements (excluding distributors and resellers) which
-have been validly granted by You or Your distributors under this License
-prior to termination shall survive termination.
-
-************************************************************************
-*                                                                      *
-*  6. Disclaimer of Warranty                                           *
-*  -------------------------                                           *
-*                                                                      *
-*  Covered Software is provided under this License on an "as is"       *
-*  basis, without warranty of any kind, either expressed, implied, or  *
-*  statutory, including, without limitation, warranties that the       *
-*  Covered Software is free of defects, merchantable, fit for a        *
-*  particular purpose or non-infringing. The entire risk as to the     *
-*  quality and performance of the Covered Software is with You.        *
-*  Should any Covered Software prove defective in any respect, You     *
-*  (not any Contributor) assume the cost of any necessary servicing,   *
-*  repair, or correction. This disclaimer of warranty constitutes an   *
-*  essential part of this License. No use of any Covered Software is   *
-*  authorized under this License except under this disclaimer.         *
-*                                                                      *
-************************************************************************
-
-************************************************************************
-*                                                                      *
-*  7. Limitation of Liability                                          *
-*  --------------------------                                          *
-*                                                                      *
-*  Under no circumstances and under no legal theory, whether tort      *
-*  (including negligence), contract, or otherwise, shall any           *
-*  Contributor, or anyone who distributes Covered Software as          *
-*  permitted above, be liable to You for any direct, indirect,         *
-*  special, incidental, or consequential damages of any character      *
-*  including, without limitation, damages for lost profits, loss of    *
-*  goodwill, work stoppage, computer failure or malfunction, or any    *
-*  and all other commercial damages or losses, even if such party      *
-*  shall have been informed of the possibility of such damages. This   *
-*  limitation of liability shall not apply to liability for death or   *
-*  personal injury resulting from such party's negligence to the       *
-*  extent applicable law prohibits such limitation. Some               *
-*  jurisdictions do not allow the exclusion or limitation of           *
-*  incidental or consequential damages, so this exclusion and          *
-*  limitation may not apply to You.                                    *
-*                                                                      *
-************************************************************************
-
-8. Litigation
--------------
-
-Any litigation relating to this License may be brought only in the
-courts of a jurisdiction where the defendant maintains its principal
-place of business and such litigation shall be governed by laws of that
-jurisdiction, without reference to its conflict-of-law provisions.
-Nothing in this Section shall prevent a party's ability to bring
-cross-claims or counter-claims.
-
-9. Miscellaneous
-----------------
-
-This License represents the complete agreement concerning the subject
-matter hereof. If any provision of this License is held to be
-unenforceable, such provision shall be reformed only to the extent
-necessary to make it enforceable. Any law or regulation which provides
-that the language of a contract shall be construed against the drafter
-shall not be used to construe this License against a Contributor.
-
-10. Versions of the License
----------------------------
-
-10.1. New Versions
-
-Mozilla Foundation is the license steward. Except as provided in Section
-10.3, no one other than the license steward has the right to modify or
-publish new versions of this License. Each version will be given a
-distinguishing version number.
-
-10.2. Effect of New Versions
-
-You may distribute the Covered Software under the terms of the version
-of the License under which You originally received the Covered Software,
-or under the terms of any subsequent version published by the license
-steward.
-
-10.3. Modified Versions
-
-If you create software not governed by this License, and you want to
-create a new license for such software, you may create and use a
-modified version of this License if you rename the license and remove
-any references to the name of the license steward (except to note that
-such modified license differs from this License).
-
-10.4. Distributing Source Code Form that is Incompatible With Secondary
-Licenses
-
-If You choose to distribute Source Code Form that is Incompatible With
-Secondary Licenses under the terms of this version of the License, the
-notice described in Exhibit B of this License must be attached.
-
-Exhibit A - Source Code Form License Notice
--------------------------------------------
-
-  This Source Code Form is subject to the terms of the Mozilla Public
-  License, v. 2.0. If a copy of the MPL was not distributed with this
-  file, You can obtain one at https://mozilla.org/MPL/2.0/.
-
-If it is not possible or desirable to put the notice in a particular
-file, then You may include the notice in a location (such as a LICENSE
-file in a relevant directory) where a recipient would be likely to look
-for such a notice.
-
-You may add additional accurate notices of copyright ownership.
-
-Exhibit B - "Incompatible With Secondary Licenses" Notice
----------------------------------------------------------
-
-  This Source Code Form is "Incompatible With Secondary Licenses", as
-  defined by the Mozilla Public License, v. 2.0.

cmd/hspguard/main.go

@@ -45,6 +45,7 @@ func main() {
 	cache := cache.NewClient(&cfg)
 
 	user.EnsureAdminUser(ctx, &cfg, repo)
+	user.EnsureSystemPermissions(ctx, repo)
 
 	server := api.NewAPIServer(fmt.Sprintf("%s:%s", cfg.Host, cfg.Port), repo, fStorage, cache, &cfg)
 	if err := server.Run(); err != nil {

internal/admin/permissions.go

@@ -0,0 +1,82 @@
+package admin
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+
+	"gitea.local/admin/hspguard/internal/repository"
+	"gitea.local/admin/hspguard/internal/web"
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
+)
+
+func (h *AdminHandler) GetAllPermissions(w http.ResponseWriter, r *http.Request) {
+	rows, err := h.repo.GetGroupedPermissions(r.Context())
+	if err != nil {
+		log.Println("ERR: Failed to list permissions from db:", err)
+		web.Error(w, "failed to get all permissions", http.StatusInternalServerError)
+		return
+	}
+
+	type RowDTO struct {
+		Scope       string                  `json:"scope"`
+		Permissions []repository.Permission `json:"permissions"`
+	}
+
+	if len(rows) == 0 {
+		rows = make([]repository.GetGroupedPermissionsRow, 0)
+	}
+
+	var mapped []RowDTO
+
+	for _, row := range rows {
+		var permissions []repository.Permission
+
+		if err := json.Unmarshal(row.Permissions, &permissions); err != nil {
+			log.Println("ERR: Failed to extract permissions from byte array:", err)
+			web.Error(w, "failed to get permissions", http.StatusInternalServerError)
+			return
+		}
+
+		mapped = append(mapped, RowDTO{
+			Scope:       row.Scope,
+			Permissions: permissions,
+		})
+	}
+
+	if len(mapped) == 0 {
+		mapped = make([]RowDTO, 0)
+	}
+
+	encoder := json.NewEncoder(w)
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := encoder.Encode(mapped); err != nil {
+		web.Error(w, "failed to encode response", http.StatusInternalServerError)
+	}
+}
+
+func (h *AdminHandler) GetUserPermissions(w http.ResponseWriter, r *http.Request) {
+	userId := chi.URLParam(r, "user_id")
+
+	permissions, err := h.repo.GetUserPermissions(r.Context(), uuid.MustParse(userId))
+	if err != nil {
+		log.Println("ERR: Failed to list permissions from db:", err)
+		web.Error(w, "failed to get user permissions", http.StatusInternalServerError)
+		return
+	}
+
+	if len(permissions) == 0 {
+		permissions = make([]repository.Permission, 0)
+	}
+
+	encoder := json.NewEncoder(w)
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := encoder.Encode(permissions); err != nil {
+		web.Error(w, "failed to encode response", http.StatusInternalServerError)
+	}
+}

internal/admin/roles.go

@@ -0,0 +1,61 @@
+package admin
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+
+	"gitea.local/admin/hspguard/internal/repository"
+	"gitea.local/admin/hspguard/internal/web"
+)
+
+func (h *AdminHandler) GetAllRoles(w http.ResponseWriter, r *http.Request) {
+	rows, err := h.repo.GetRolesGroupedWithPermissions(r.Context())
+	if err != nil {
+		log.Println("ERR: Failed to list roles from db:", err)
+		web.Error(w, "failed to get all roles", http.StatusInternalServerError)
+		return
+	}
+
+	type RolePermissions struct {
+		Permissions []repository.Permission `json:"permissions"`
+		repository.Role
+	}
+
+	type RowDTO struct {
+		Scope string            `json:"scope"`
+		Roles []RolePermissions `json:"roles"`
+	}
+
+	if len(rows) == 0 {
+		rows = make([]repository.GetRolesGroupedWithPermissionsRow, 0)
+	}
+
+	var mapped []RowDTO
+
+	for _, row := range rows {
+		var mappedRow RowDTO
+
+		mappedRow.Scope = row.Scope
+
+		if err := json.Unmarshal(row.Roles, &mappedRow.Roles); err != nil {
+			log.Println("ERR: Failed to extract roles from byte array:", err)
+			web.Error(w, "failed to get roles", http.StatusInternalServerError)
+			return
+		}
+
+		mapped = append(mapped, mappedRow)
+	}
+
+	if len(mapped) == 0 {
+		mapped = make([]RowDTO, 0)
+	}
+
+	encoder := json.NewEncoder(w)
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := encoder.Encode(mapped); err != nil {
+		web.Error(w, "failed to encode response", http.StatusInternalServerError)
+	}
+}

internal/admin/routes.go

@@ -41,6 +41,11 @@ func (h *AdminHandler) RegisterRoutes(router chi.Router) {
 
 		r.Get("/service-sessions", h.GetServiceSessions)
 		r.Patch("/service-sessions/revoke/{id}", h.RevokeUserSession)
+
+		r.Get("/permissions", h.GetAllPermissions)
+		r.Get("/permissions/{user_id}", h.GetUserPermissions)
+
+		r.Get("/roles", h.GetAllRoles)
 	})
 
 	router.Get("/api-services/client/{client_id}", h.GetApiServiceCID)

internal/repository/models.go

@@ -25,6 +25,41 @@ type ApiService struct {
 	IconUrl      *string   `json:"icon_url"`
 }
 
+type Group struct {
+	ID          uuid.UUID `json:"id"`
+	Name        string    `json:"name"`
+	Description *string   `json:"description"`
+}
+
+type GroupPermission struct {
+	GroupID      uuid.UUID `json:"group_id"`
+	PermissionID uuid.UUID `json:"permission_id"`
+}
+
+type GroupRole struct {
+	GroupID uuid.UUID `json:"group_id"`
+	RoleID  uuid.UUID `json:"role_id"`
+}
+
+type Permission struct {
+	ID          uuid.UUID `json:"id"`
+	Name        string    `json:"name"`
+	Scope       string    `json:"scope"`
+	Description *string   `json:"description"`
+}
+
+type Role struct {
+	ID          uuid.UUID `json:"id"`
+	Name        string    `json:"name"`
+	Scope       string    `json:"scope"`
+	Description *string   `json:"description"`
+}
+
+type RolePermission struct {
+	RoleID       uuid.UUID `json:"role_id"`
+	PermissionID uuid.UUID `json:"permission_id"`
+}
+
 type ServiceSession struct {
 	ID             uuid.UUID  `json:"id"`
 	ServiceID      uuid.UUID  `json:"service_id"`
@@ -60,6 +95,21 @@ type User struct {
 	Verified       bool       `json:"verified"`
 }
 
+type UserGroup struct {
+	UserID  uuid.UUID `json:"user_id"`
+	GroupID uuid.UUID `json:"group_id"`
+}
+
+type UserPermission struct {
+	UserID       uuid.UUID `json:"user_id"`
+	PermissionID uuid.UUID `json:"permission_id"`
+}
+
+type UserRole struct {
+	UserID uuid.UUID `json:"user_id"`
+	RoleID uuid.UUID `json:"role_id"`
+}
+
 type UserSession struct {
 	ID             uuid.UUID  `json:"id"`
 	UserID         uuid.UUID  `json:"user_id"`

internal/repository/permissions.sql.go

@@ -0,0 +1,175 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: permissions.sql
+
+package repository
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+)
+
+const createPermission = `-- name: CreatePermission :one
+INSERT into permissions (
+    name, scope, description
+) VALUES (
+    $1, $2, $3
+) RETURNING id, name, scope, description
+`
+
+type CreatePermissionParams struct {
+	Name        string  `json:"name"`
+	Scope       string  `json:"scope"`
+	Description *string `json:"description"`
+}
+
+func (q *Queries) CreatePermission(ctx context.Context, arg CreatePermissionParams) (Permission, error) {
+	row := q.db.QueryRow(ctx, createPermission, arg.Name, arg.Scope, arg.Description)
+	var i Permission
+	err := row.Scan(
+		&i.ID,
+		&i.Name,
+		&i.Scope,
+		&i.Description,
+	)
+	return i, err
+}
+
+const findPermission = `-- name: FindPermission :one
+SELECT id, name, scope, description FROM permissions
+WHERE name = $1 AND scope = $2
+`
+
+type FindPermissionParams struct {
+	Name  string `json:"name"`
+	Scope string `json:"scope"`
+}
+
+func (q *Queries) FindPermission(ctx context.Context, arg FindPermissionParams) (Permission, error) {
+	row := q.db.QueryRow(ctx, findPermission, arg.Name, arg.Scope)
+	var i Permission
+	err := row.Scan(
+		&i.ID,
+		&i.Name,
+		&i.Scope,
+		&i.Description,
+	)
+	return i, err
+}
+
+const getAllPermissions = `-- name: GetAllPermissions :many
+SELECT id, name, scope, description
+FROM permissions p
+ORDER BY p.scope
+`
+
+func (q *Queries) GetAllPermissions(ctx context.Context) ([]Permission, error) {
+	rows, err := q.db.Query(ctx, getAllPermissions)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Permission
+	for rows.Next() {
+		var i Permission
+		if err := rows.Scan(
+			&i.ID,
+			&i.Name,
+			&i.Scope,
+			&i.Description,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getGroupedPermissions = `-- name: GetGroupedPermissions :many
+SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
+FROM permissions
+GROUP BY scope
+`
+
+type GetGroupedPermissionsRow struct {
+	Scope       string `json:"scope"`
+	Permissions []byte `json:"permissions"`
+}
+
+func (q *Queries) GetGroupedPermissions(ctx context.Context) ([]GetGroupedPermissionsRow, error) {
+	rows, err := q.db.Query(ctx, getGroupedPermissions)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetGroupedPermissionsRow
+	for rows.Next() {
+		var i GetGroupedPermissionsRow
+		if err := rows.Scan(&i.Scope, &i.Permissions); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getUserPermissions = `-- name: GetUserPermissions :many
+SELECT DISTINCT p.id,p.name,p.scope,p.description
+FROM permissions p
+LEFT JOIN role_permissions rp_user
+    ON p.id = rp_user.permission_id
+LEFT JOIN user_roles ur
+    ON rp_user.role_id = ur.role_id AND ur.user_id = $1
+LEFT JOIN user_groups ug
+    ON ug.user_id = $1
+LEFT JOIN group_roles gr
+    ON ug.group_id = gr.group_id
+LEFT JOIN role_permissions rp_group
+    ON gr.role_id = rp_group.role_id AND rp_group.permission_id = p.id
+LEFT JOIN user_permissions up
+    ON up.user_id = $1 AND up.permission_id = p.id
+LEFT JOIN group_permissions gp
+    ON gp.group_id = ug.group_id AND gp.permission_id = p.id
+WHERE ur.user_id IS NOT NULL
+   OR gr.group_id IS NOT NULL
+   OR up.user_id IS NOT NULL
+   OR gp.group_id IS NOT NULL
+ORDER BY p.scope
+`
+
+// From roles assigned directly to the user
+// From roles assigned to user's groups
+// Direct permissions to user
+// Direct permissions to user's groups
+func (q *Queries) GetUserPermissions(ctx context.Context, userID uuid.UUID) ([]Permission, error) {
+	rows, err := q.db.Query(ctx, getUserPermissions, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Permission
+	for rows.Next() {
+		var i Permission
+		if err := rows.Scan(
+			&i.ID,
+			&i.Name,
+			&i.Scope,
+			&i.Description,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}

internal/repository/roles.sql.go

@@ -0,0 +1,152 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: roles.sql
+
+package repository
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+)
+
+const addPermissionsToRoleByKey = `-- name: AddPermissionsToRoleByKey :exec
+INSERT INTO role_permissions (role_id, permission_id)
+SELECT
+  $1,
+  p.id
+FROM
+  permissions p
+JOIN
+  unnest($2::text[]) AS key_str
+    ON key_str = p.scope || '_' || p.name
+`
+
+type AddPermissionsToRoleByKeyParams struct {
+	RoleID         uuid.UUID `json:"role_id"`
+	PermissionKeys []string  `json:"permission_keys"`
+}
+
+func (q *Queries) AddPermissionsToRoleByKey(ctx context.Context, arg AddPermissionsToRoleByKeyParams) error {
+	_, err := q.db.Exec(ctx, addPermissionsToRoleByKey, arg.RoleID, arg.PermissionKeys)
+	return err
+}
+
+const createRole = `-- name: CreateRole :one
+INSERT INTO roles (name, scope, description)
+VALUES ($1, $2, $3)
+RETURNING id, name, scope, description
+`
+
+type CreateRoleParams struct {
+	Name        string  `json:"name"`
+	Scope       string  `json:"scope"`
+	Description *string `json:"description"`
+}
+
+func (q *Queries) CreateRole(ctx context.Context, arg CreateRoleParams) (Role, error) {
+	row := q.db.QueryRow(ctx, createRole, arg.Name, arg.Scope, arg.Description)
+	var i Role
+	err := row.Scan(
+		&i.ID,
+		&i.Name,
+		&i.Scope,
+		&i.Description,
+	)
+	return i, err
+}
+
+const findRole = `-- name: FindRole :one
+SELECT id, name, scope, description
+FROM roles
+WHERE scope = $1 AND name = $2
+`
+
+type FindRoleParams struct {
+	Scope string `json:"scope"`
+	Name  string `json:"name"`
+}
+
+func (q *Queries) FindRole(ctx context.Context, arg FindRoleParams) (Role, error) {
+	row := q.db.QueryRow(ctx, findRole, arg.Scope, arg.Name)
+	var i Role
+	err := row.Scan(
+		&i.ID,
+		&i.Name,
+		&i.Scope,
+		&i.Description,
+	)
+	return i, err
+}
+
+const getRolesGroupedWithPermissions = `-- name: GetRolesGroupedWithPermissions :many
+SELECT
+    r.scope,
+    json_agg (
+        json_build_object (
+            'id',
+            r.id,
+            'name',
+            r.name,
+            'description',
+            r.description,
+            'permissions',
+            COALESCE(p_list.permissions, '[]')
+        )
+        ORDER BY
+            r.name
+    ) AS roles
+FROM
+    roles r
+    LEFT JOIN (
+        SELECT
+            rp.role_id,
+            json_agg (
+                json_build_object (
+                    'id',
+                    p.id,
+                    'name',
+                    p.name,
+                    'scope',
+                    p.scope,
+                    'description',
+                    p.description
+                )
+                ORDER BY
+                    p.name
+            ) AS permissions
+        FROM
+            role_permissions rp
+            JOIN permissions p ON p.id = rp.permission_id
+        GROUP BY
+            rp.role_id
+    ) p_list ON p_list.role_id = r.id
+GROUP BY
+    r.scope
+`
+
+type GetRolesGroupedWithPermissionsRow struct {
+	Scope string `json:"scope"`
+	Roles []byte `json:"roles"`
+}
+
+func (q *Queries) GetRolesGroupedWithPermissions(ctx context.Context) ([]GetRolesGroupedWithPermissionsRow, error) {
+	rows, err := q.db.Query(ctx, getRolesGroupedWithPermissions)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetRolesGroupedWithPermissionsRow
+	for rows.Next() {
+		var i GetRolesGroupedWithPermissionsRow
+		if err := rows.Scan(&i.Scope, &i.Roles); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}

internal/user/permissions.go

@@ -0,0 +1,212 @@
+package user
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"gitea.local/admin/hspguard/internal/repository"
+)
+
+func String(s string) *string {
+	return &s
+}
+
+type RolePermissions struct {
+	Permissions []string `json:"permissions"`
+	repository.Role
+}
+
+var (
+	SYSTEM_SCOPE       string                  = "system"
+	SYSTEM_PERMISSIONS []repository.Permission = []repository.Permission{
+		{
+			Name:        "log_into_guard",
+			Description: String("Allow users to log into their accounts"),
+		},
+		{
+			Name:        "register",
+			Description: String("Allow users to register new accounts"),
+		},
+		{
+			Name:        "edit_profile",
+			Description: String("Allow users to edit their profiles"),
+		},
+		{
+			Name:        "recover_credentials",
+			Description: String("Allow users to recover their password/email"),
+		},
+		{
+			Name:        "verify_profile",
+			Description: String("Allow users to verify their accounts"),
+		},
+		{
+			Name:        "access_home_services",
+			Description: String("Allow users to access home services and tools"),
+		},
+		{
+			Name:        "view_sessions",
+			Description: String("Allow users to view their active sessions"),
+		},
+		{
+			Name:        "revoke_sessions",
+			Description: String("Allow users to revoke their active sessions"),
+		},
+		{
+			Name:        "view_api_services",
+			Description: String("Allow users to view API Services (for admin)"),
+		},
+		{
+			Name:        "add_api_services",
+			Description: String("Allow users to register new API Services (for admin)"),
+		},
+		{
+			Name:        "edit_api_services",
+			Description: String("Allow users to edit API Services (for admin)"),
+		},
+		{
+			Name:        "remove_api_services",
+			Description: String("Allow users to remove API Services (for admin)"),
+		},
+		{
+			Name:        "view_users",
+			Description: String("Allow users to view other users (for admin)"),
+		},
+		{
+			Name:        "add_users",
+			Description: String("Allow users to create new users (for admin)"),
+		},
+		// TODO: block, delete users
+		{
+			Name:        "view_user_sessions",
+			Description: String("Allow users to view user sessions (for admin)"),
+		},
+		{
+			Name:        "revoke_user_sessions",
+			Description: String("Allow users to revoke user sessions (for admin)"),
+		},
+		{
+			Name:        "view_service_sessions",
+			Description: String("Allow users to view service sessions (for admin)"),
+		},
+		{
+			Name:        "revoke_service_sessions",
+			Description: String("Allow users to revoke service sessions (for admin)"),
+		},
+		{
+			Name:        "view_permissions",
+			Description: String("Allow users to view all permissions (for admin)"),
+		},
+		{
+			Name:        "view_roles_groups",
+			Description: String("Allow users to view roles & groups (for admin)"),
+		},
+	}
+	SYSTEM_ROLES []RolePermissions = []RolePermissions{
+		{
+			Permissions: []string{
+				"system_log_into_guard",
+				"system_register",
+				"system_edit_profile",
+				"system_recover_credentials",
+				"system_verify_profile",
+				"system_access_home_services",
+				"system_view_sessions",
+				"system_revoke_sessions",
+				"system_view_api_services",
+				"system_add_api_services",
+				"system_edit_api_services",
+				"system_remove_api_services",
+				"system_view_users",
+				"system_add_users",
+				"system_view_user_sessions",
+				"system_revoke_user_sessions",
+				"system_view_service_sessions",
+				"system_revoke_service_sessions",
+				"system_view_permissions",
+				"system_view_roles_groups",
+			},
+			Role: repository.Role{
+				Name:        "admin",
+				Description: String("User with full power"),
+			},
+		},
+		{
+			Permissions: []string{
+				"system_log_into_guard",
+				"system_register",
+				"system_edit_profile",
+				"system_recover_credentials",
+				"system_verify_profile",
+				"system_access_home_services",
+				"system_view_sessions",
+				"system_revoke_sessions",
+			},
+			Role: repository.Role{
+				Name:        "family_member",
+				Description: String("User that is able to use home services"),
+			},
+		},
+		{
+			Permissions: []string{
+				"system_log_into_guard",
+				"system_register",
+			},
+			Role: repository.Role{
+				Name:        "guest",
+				Description: String("New user that needs approve for everything from admin"),
+			},
+		},
+	}
+)
+
+func EnsureSystemPermissions(ctx context.Context, repo *repository.Queries) {
+	for _, permission := range SYSTEM_PERMISSIONS {
+		_, err := repo.FindPermission(ctx, repository.FindPermissionParams{
+			Name:  permission.Name,
+			Scope: SYSTEM_SCOPE,
+		})
+		if err != nil {
+			log.Printf("INFO: Creating SYSTEM permission: '%s'\n", permission.Name)
+			_, err = repo.CreatePermission(ctx, repository.CreatePermissionParams{
+				Name:        permission.Name,
+				Scope:       SYSTEM_SCOPE,
+				Description: permission.Description,
+			})
+			if err != nil {
+				log.Fatalf("ERR: Failed to create SYSTEM permission: '%s'\n", permission.Name)
+			}
+		}
+	}
+
+	for _, role := range SYSTEM_ROLES {
+		found, err := repo.FindRole(ctx, repository.FindRoleParams{
+			Scope: SYSTEM_SCOPE,
+			Name:  role.Name,
+		})
+		if err != nil {
+			log.Printf("INFO: Create new SYSTEM role '%s'\n", role.Name)
+			found, err = repo.CreateRole(ctx, repository.CreateRoleParams{
+				Name:        role.Name,
+				Scope:       SYSTEM_SCOPE,
+				Description: role.Description,
+			})
+			if err != nil {
+				log.Fatalf("ERR: Failed to create SYSTEM role '%s': %v\n", role.Name, err)
+			}
+		}
+
+		var mappedPerms []string
+
+		for _, perm := range role.Permissions {
+			mappedPerms = append(mappedPerms, fmt.Sprintf("%s_%s", SYSTEM_SCOPE, perm))
+		}
+
+		if err := repo.AddPermissionsToRoleByKey(ctx, repository.AddPermissionsToRoleByKeyParams{
+			RoleID:         found.ID,
+			PermissionKeys: mappedPerms,
+		}); err != nil {
+			log.Fatalf("ERR: Failed to assign required permissions to SYSTEM role %s: %v\n", found.Name, err)
+		}
+	}
+}

migrations/00013_add_group_role_permission.sql

@@ -0,0 +1,91 @@
+-- +goose Up
+-- +goose StatementBegin
+-- GROUPS
+CREATE TABLE groups (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
+    name TEXT NOT NULL UNIQUE,
+    description TEXT
+);
+
+-- ROLES
+CREATE TABLE roles (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
+    name TEXT NOT NULL,
+    scope TEXT NOT NULL,
+    description TEXT,
+    UNIQUE (name, scope)
+);
+
+-- PERMISSIONS
+CREATE TABLE permissions (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid (),
+    name TEXT NOT NULL,
+    scope TEXT NOT NULL,
+    description TEXT,
+    UNIQUE (name, scope)
+);
+
+-- USER-GROUPS (many-to-many)
+CREATE TABLE user_groups (
+    user_id UUID REFERENCES users (id) ON DELETE CASCADE,
+    group_id UUID REFERENCES groups (id) ON DELETE CASCADE,
+    PRIMARY KEY (user_id, group_id)
+);
+
+-- GROUP-ROLES (many-to-many)
+CREATE TABLE group_roles (
+    group_id UUID REFERENCES groups (id) ON DELETE CASCADE,
+    role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
+    PRIMARY KEY (group_id, role_id)
+);
+
+-- ROLE-PERMISSIONS (many-to-many)
+CREATE TABLE role_permissions (
+    role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
+    permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
+    PRIMARY KEY (role_id, permission_id)
+);
+
+-- USER-ROLES (direct assignment, optional)
+CREATE TABLE user_roles (
+    user_id UUID REFERENCES users (id) ON DELETE CASCADE,
+    role_id UUID REFERENCES roles (id) ON DELETE CASCADE,
+    PRIMARY KEY (user_id, role_id)
+);
+
+-- USER-PERMISSIONS (direct assignment, optional)
+CREATE TABLE user_permissions (
+    user_id UUID REFERENCES users (id) ON DELETE CASCADE,
+    permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
+    PRIMARY KEY (user_id, permission_id)
+);
+
+-- GROUP-PERMISSIONS (direct on group, optional)
+CREATE TABLE group_permissions (
+    group_id UUID REFERENCES groups (id) ON DELETE CASCADE,
+    permission_id UUID REFERENCES permissions (id) ON DELETE CASCADE,
+    PRIMARY KEY (group_id, permission_id)
+);
+
+-- +goose StatementEnd
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS group_permissions;
+
+DROP TABLE IF EXISTS user_permissions;
+
+DROP TABLE IF EXISTS user_roles;
+
+DROP TABLE IF EXISTS role_permissions;
+
+DROP TABLE IF EXISTS group_roles;
+
+DROP TABLE IF EXISTS user_groups;
+
+DROP TABLE IF EXISTS permissions;
+
+DROP TABLE IF EXISTS roles;
+
+DROP TABLE IF EXISTS groups;
+
+-- +goose StatementEnd

queries/permissions.sql

@@ -0,0 +1,48 @@
+
+-- name: GetAllPermissions :many
+SELECT *
+FROM permissions p
+ORDER BY p.scope;
+
+-- name: GetGroupedPermissions :many
+SELECT scope, json_agg(to_jsonb(permissions.*) ORDER BY name) as permissions
+FROM permissions
+GROUP BY scope;
+
+-- name: CreatePermission :one
+INSERT into permissions (
+    name, scope, description
+) VALUES (
+    $1, $2, $3
+) RETURNING *;
+
+-- name: FindPermission :one
+SELECT * FROM permissions
+WHERE name = $1 AND scope = $2;
+
+-- name: GetUserPermissions :many
+SELECT DISTINCT p.id,p.name,p.scope,p.description
+FROM permissions p
+-- From roles assigned directly to the user
+LEFT JOIN role_permissions rp_user
+    ON p.id = rp_user.permission_id
+LEFT JOIN user_roles ur
+    ON rp_user.role_id = ur.role_id AND ur.user_id = $1
+-- From roles assigned to user's groups
+LEFT JOIN user_groups ug
+    ON ug.user_id = $1
+LEFT JOIN group_roles gr
+    ON ug.group_id = gr.group_id
+LEFT JOIN role_permissions rp_group
+    ON gr.role_id = rp_group.role_id AND rp_group.permission_id = p.id
+-- Direct permissions to user
+LEFT JOIN user_permissions up
+    ON up.user_id = $1 AND up.permission_id = p.id
+-- Direct permissions to user's groups
+LEFT JOIN group_permissions gp
+    ON gp.group_id = ug.group_id AND gp.permission_id = p.id
+WHERE ur.user_id IS NOT NULL
+   OR gr.group_id IS NOT NULL
+   OR up.user_id IS NOT NULL
+   OR gp.group_id IS NOT NULL
+ORDER BY p.scope;

queries/roles.sql

@@ -0,0 +1,65 @@
+-- name: FindRole :one
+SELECT *
+FROM roles
+WHERE scope = $1 AND name = $2;
+
+-- name: GetRolesGroupedWithPermissions :many
+SELECT
+    r.scope,
+    json_agg (
+        json_build_object (
+            'id',
+            r.id,
+            'name',
+            r.name,
+            'description',
+            r.description,
+            'permissions',
+            COALESCE(p_list.permissions, '[]')
+        )
+        ORDER BY
+            r.name
+    ) AS roles
+FROM
+    roles r
+    LEFT JOIN (
+        SELECT
+            rp.role_id,
+            json_agg (
+                json_build_object (
+                    'id',
+                    p.id,
+                    'name',
+                    p.name,
+                    'scope',
+                    p.scope,
+                    'description',
+                    p.description
+                )
+                ORDER BY
+                    p.name
+            ) AS permissions
+        FROM
+            role_permissions rp
+            JOIN permissions p ON p.id = rp.permission_id
+        GROUP BY
+            rp.role_id
+    ) p_list ON p_list.role_id = r.id
+GROUP BY
+    r.scope;
+
+-- name: CreateRole :one
+INSERT INTO roles (name, scope, description)
+VALUES ($1, $2, $3)
+RETURNING *;
+
+-- name: AddPermissionsToRoleByKey :exec
+INSERT INTO role_permissions (role_id, permission_id)
+SELECT
+  sqlc.arg(role_id),
+  p.id
+FROM
+  permissions p
+JOIN
+  unnest(sqlc.arg(permission_keys)::text[]) AS key_str
+    ON key_str = p.scope || '_' || p.name;

web/src/App.tsx

@@ -27,6 +27,8 @@ import VerifyAvatarPage from "./pages/Verify/Avatar";
 import VerifyReviewPage from "./pages/Verify/Review";
 import AdminUserSessionsPage from "./pages/Admin/UserSessions";
 import AdminServiceSessionsPage from "./pages/Admin/ServiceSessions";
+import AdminAppPermissionsPage from "./pages/Admin/AppPermissions";
+import AdminRolesGroupsPage from "./pages/Admin/RolesGroups";
 
 const router = createBrowserRouter([
   {
@@ -93,6 +95,16 @@ const router = createBrowserRouter([
                   { index: true, element: <AdminServiceSessionsPage /> },
                 ],
               },
+              {
+                path: "app-permissions",
+                children: [
+                  { index: true, element: <AdminAppPermissionsPage /> },
+                ],
+              },
+              {
+                path: "roles-groups",
+                children: [{ index: true, element: <AdminRolesGroupsPage /> }],
+              },
             ],
           },
         ],

web/src/api/admin/permissions.ts

@@ -0,0 +1,34 @@
+import type { AppPermission } from "@/types";
+import { axios, handleApiError } from "..";
+
+export type FetchPermissionsResponse = AppPermission[];
+
+export const getUserPermissionsApi = async (
+  userId: string,
+): Promise<FetchPermissionsResponse> => {
+  const response = await axios.get<FetchPermissionsResponse>(
+    `/api/v1/admin/permissions/${userId}`,
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+
+  return response.data;
+};
+
+export type FetchGroupedPermissionsResponse = {
+  scope: string;
+  permissions: AppPermission[];
+}[];
+
+export const getPermissionsApi =
+  async (): Promise<FetchGroupedPermissionsResponse> => {
+    const response = await axios.get<FetchGroupedPermissionsResponse>(
+      "/api/v1/admin/permissions",
+    );
+
+    if (response.status !== 200 && response.status !== 201)
+      throw await handleApiError(response);
+
+    return response.data;
+  };

web/src/api/admin/roles.ts

@@ -0,0 +1,20 @@
+import type { AppPermission, AppRole } from "@/types";
+import { axios, handleApiError } from "..";
+
+export type FetchGroupedRolesResponse = {
+  scope: string;
+  roles: (AppRole & {
+    permissions: AppPermission[];
+  })[];
+}[];
+
+export const getRolesApi = async (): Promise<FetchGroupedRolesResponse> => {
+  const response = await axios.get<FetchGroupedRolesResponse>(
+    "/api/v1/admin/roles",
+  );
+
+  if (response.status !== 200 && response.status !== 201)
+    throw await handleApiError(response);
+
+  return response.data;
+};

web/src/hooks/barItems.tsx

@@ -1,5 +1,14 @@
 import { useAuth } from "@/store/auth";
-import { Blocks, EarthLock, Home, User, UserLock, Users } from "lucide-react";
+import {
+  Blocks,
+  ContactRound,
+  EarthLock,
+  Home,
+  KeyRound,
+  User,
+  UserLock,
+  Users,
+} from "lucide-react";
 import { useCallback, type ReactNode } from "react";
 import { useLocation } from "react-router";
 
@@ -93,6 +102,18 @@ export const useBarItems = (): [Item[], (item: Item) => boolean] => {
               tab: "admin.service-sessions",
               pathname: "/admin/service-sessions",
             },
+            {
+              icon: <KeyRound />,
+              title: "App Permissions",
+              tab: "admin.app-permissions",
+              pathname: "/admin/app-permissions",
+            },
+            {
+              icon: <ContactRound />,
+              title: "Roles & Groups",
+              tab: "admin.roles-groups",
+              pathname: "/admin/roles-groups",
+            },
           ]
         : []),
     ],

web/src/pages/Admin/AppPermissions/index.tsx

@@ -0,0 +1,130 @@
+import { useEffect, type FC } from "react";
+import Breadcrumbs from "@/components/ui/breadcrumbs";
+import { usePermissions } from "@/store/admin/permissions";
+
+interface DisplayPermission {
+  name: string;
+  description: string;
+}
+
+interface IPermissionGroupProps {
+  scope: string;
+  permissions?: DisplayPermission[] | null | undefined;
+  generatedPermissions?: DisplayPermission[] | null | undefined;
+}
+
+const PermissionGroup: FC<IPermissionGroupProps> = ({
+  scope,
+  permissions,
+  generatedPermissions,
+}) => {
+  return (
+    <div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
+      <h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold">
+        {scope}
+      </h2>
+
+      {(generatedPermissions?.length ?? 0) > 0 && (
+        <>
+          <p className="text-gray-500 text-sm mt-2 mb-4">Generated by Guard</p>
+
+          <ol
+            className={`grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium mb-${permissions && permissions.length > 0 ? "6" : "2"}`}
+          >
+            {generatedPermissions!.map(({ name, description }) => (
+              <li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
+                <div className="flex flex-col gap-1">
+                  <label>{name}</label>
+                  <p className="text-xs text-gray-400 dark:text-gray-500">
+                    {description}
+                  </p>
+                </div>
+              </li>
+            ))}
+          </ol>
+        </>
+      )}
+
+      {(permissions?.length ?? 0) > 0 && (
+        <>
+          <p className="text-gray-500 text-sm mt-2 mb-4">Manually Created</p>
+
+          <ol className="grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
+            {permissions!.map(({ name, description }) => (
+              <li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
+                <div className="flex flex-col gap-1">
+                  <label>{name}</label>
+                  <p className="text-xs text-gray-400 dark:text-gray-500">
+                    {description}
+                  </p>
+                </div>
+              </li>
+            ))}
+          </ol>
+        </>
+      )}
+    </div>
+  );
+};
+
+const AdminAppPermissionsPage: FC = () => {
+  const permissions = usePermissions((s) => s.permissions);
+  const fetch = usePermissions((s) => s.fetch);
+
+  useEffect(() => {
+    fetch();
+  }, [fetch]);
+
+  return (
+    <div className="relative flex flex-col items-stretch w-full">
+      <div className="p-4">
+        <Breadcrumbs
+          className="pb-2"
+          items={[
+            {
+              href: "/admin",
+              label: "Admin",
+            },
+            {
+              label: "App Permissions",
+            },
+          ]}
+        />
+      </div>
+      <div className="px-7">
+        {Object.keys(permissions).map((scope) => (
+          <PermissionGroup
+            scope={scope.toUpperCase()}
+            generatedPermissions={permissions[scope].map((p) => ({
+              name: p.name
+                .split("_")
+                .map((s) => s[0].toUpperCase() + s.slice(1))
+                .join(" "),
+              description: p.description,
+            }))}
+          />
+        ))}
+        {/* <PermissionGroup
+          scope="Open Chat"
+          generatedPermissions={["Access Open Chat"].map((name) => ({
+            name,
+            description: `You can ${name.toLowerCase()}`,
+          }))}
+          permissions={[
+            "Receive Messages",
+            "Send Messages",
+            "View Status",
+            "Post Status",
+            "Use Ghost Mode",
+            "Send Large Media",
+          ].map((name) => ({
+            name,
+            description: `You can ${name.toLowerCase()}`,
+          }))}
+        /> */}
+      </div>
+    </div>
+  );
+};
+
+export default AdminAppPermissionsPage;

web/src/pages/Admin/RolesGroups/index.tsx

@@ -0,0 +1,66 @@
+import { useEffect, type FC } from "react";
+import Breadcrumbs from "@/components/ui/breadcrumbs";
+import { getRolesApi } from "@/api/admin/roles";
+
+interface DisplayRole {
+  name: string;
+  description: string;
+}
+
+interface IPermissionGroupProps {
+  scope: string;
+  roles?: DisplayRole[] | null | undefined;
+}
+
+const RolesGroup: FC<IPermissionGroupProps> = ({ scope, roles }) => {
+  return (
+    <div className="border dark:border-gray-800 border-gray-300 p-4 rounded mb-4">
+      <h2 className="dark:text-gray-300 text-gray-800 text-lg font-semibold">
+        {scope}
+      </h2>
+
+      {(roles?.length ?? 0) > 0 && (
+        <ol className="grid gap-4 gap-y-3 grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 text-gray-800 dark:text-gray-300 font-medium">
+          {roles!.map(({ name, description }) => (
+            <li className="before:w-2 before:h-2 before:block before:translate-y-2 before:bg-gray-400 dark:before:bg-gray-700 before:rounded-xs flex flex-row items-start gap-2">
+              <div className="flex flex-col gap-1">
+                <label>{name}</label>
+                <p className="text-xs text-gray-400 dark:text-gray-500">
+                  {description}
+                </p>
+              </div>
+            </li>
+          ))}
+        </ol>
+      )}
+    </div>
+  );
+};
+
+const AdminRolesGroupsPage: FC = () => {
+  useEffect(() => {
+    getRolesApi().then((res) => console.log("roles:", res));
+  }, []);
+
+  return (
+    <div className="relative flex flex-col items-stretch w-full">
+      <div className="p-4">
+        <Breadcrumbs
+          className="pb-2"
+          items={[
+            {
+              href: "/admin",
+              label: "Admin",
+            },
+            {
+              label: "Roles & Groups",
+            },
+          ]}
+        />
+      </div>
+      <div className="px-7"></div>
+    </div>
+  );
+};
+
+export default AdminRolesGroupsPage;

web/src/pages/Admin/Users/View/index.tsx

@@ -25,6 +25,7 @@ const InfoCard = ({
 const AdminViewUserPage: FC = () => {
   const { userId } = useParams();
   const user = useUsers((state) => state.current);
+  const userPermissions = useUsers((s) => s.userPermissions);
   // const loading = useApiServices((state) => state.fetchingApiService);
 
   const loadUser = useUsers((state) => state.fetchUser);
@@ -117,6 +118,10 @@ const AdminViewUserPage: FC = () => {
           </div>
         </InfoCard>
 
+        <InfoCard title="Roles & Permissions">
+          <pre>{JSON.stringify(userPermissions, null, 2)}</pre>
+        </InfoCard>
+
         {/* 🚀 Actions */}
         <div className="flex flex-wrap gap-4 mt-6 justify-between items-center">
           <Link to="/admin/users">

web/src/pages/Authorize/index.tsx

@@ -76,21 +76,21 @@ const AuthorizePage: FC = () => {
                 <div className="text-gray-400 dark:text-gray-600">
                   <ArrowLeftRight />
                 </div>
-                <div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500">
+                {/* <div className="w-12 h-12 rounded-full flex items-center justify-center overflow-hidden bg-gray-900 ring ring-gray-400 dark:ring dark:ring-gray-500"> */}
-                  {/* <img
+                {/* <img
                     src="https://lucide.dev/logo.dark.svg"
                     className="w-8 h-8"
                   /> */}
-                  {apiService?.icon_url ? (
+                {apiService?.icon_url ? (
-                    <img
+                  <img
-                      src={apiService.icon_url}
+                    src={apiService.icon_url}
-                      className="w-full h-full"
+                    className="w-12 h-12"
-                      alt="service_icon"
+                    alt="service_icon"
-                    />
+                  />
-                  ) : (
+                ) : (
-                    <LayoutDashboard size={32} color="#fefefe" />
+                  <LayoutDashboard size={32} color="#fefefe" />
-                  )}
+                )}
-                </div>
+                {/* </div> */}
               </div>
 
               <div className="px-4 sm:mt-4 mt-8">

web/src/store/admin/permissions.ts

@@ -0,0 +1,32 @@
+import { getPermissionsApi } from "@/api/admin/permissions";
+import type { AppPermission } from "@/types";
+import { create } from "zustand";
+
+export interface IAdminPermissionsState {
+  permissions: Record<string, AppPermission[]>;
+  fetching: boolean;
+
+  fetch: () => Promise<void>;
+}
+
+export const usePermissions = create<IAdminPermissionsState>((set) => ({
+  permissions: {},
+  fetching: false,
+
+  fetch: async () => {
+    set({ fetching: true });
+
+    try {
+      const response = await getPermissionsApi();
+      set({
+        permissions: Object.fromEntries(
+          response.map(({ scope, permissions }) => [scope, permissions]),
+        ),
+      });
+    } catch (err) {
+      console.log("ERR: Failed to fetch admin permissions:", err);
+    } finally {
+      set({ fetching: false });
+    }
+  },
+}));

web/src/store/admin/users.ts

@@ -1,10 +1,11 @@
+import { getUserPermissionsApi } from "@/api/admin/permissions";
 import {
   adminGetUserApi,
   adminGetUsersApi,
   postUser,
   type CreateUserRequest,
 } from "@/api/admin/users";
-import type { UserProfile } from "@/types";
+import type { AppPermission, UserProfile } from "@/types";
 import { create } from "zustand";
 
 export interface IUsersState {
@@ -14,14 +15,18 @@ export interface IUsersState {
   current: UserProfile | null;
   fetchingCurrent: boolean;
 
+  userPermissions: AppPermission[];
+  fetchingPermissions: boolean;
+
   creating: boolean;
   createUser: (req: CreateUserRequest) => Promise<boolean>;
 
   fetchUsers: () => Promise<void>;
   fetchUser: (id: string) => Promise<void>;
+  fetchUserPermissions: () => Promise<void>;
 }
 
-export const useUsers = create<IUsersState>((set) => ({
+export const useUsers = create<IUsersState>((set, get) => ({
   users: [],
   fetching: false,
 
@@ -30,6 +35,9 @@ export const useUsers = create<IUsersState>((set) => ({
   current: null,
   fetchingCurrent: false,
 
+  userPermissions: [],
+  fetchingPermissions: false,
+
   createUser: async (req: CreateUserRequest) => {
     set({ creating: true });
 
@@ -70,4 +78,23 @@ export const useUsers = create<IUsersState>((set) => ({
       set({ fetchingCurrent: false });
     }
   },
+
+  fetchUserPermissions: async () => {
+    const user = get().current;
+    if (!user) {
+      console.warn("Trying to fetch user permissions without selected user");
+      return;
+    }
+
+    set({ fetchingPermissions: true });
+
+    try {
+      const response = await getUserPermissionsApi(user.id);
+      set({ userPermissions: response });
+    } catch (err) {
+      console.log("ERR: Failed to fetch single user for admin:", err);
+    } finally {
+      set({ fetchingPermissions: false });
+    }
+  },
 }));

web/src/types/index.ts

@@ -78,3 +78,17 @@ export interface DeviceInfo {
   browser: string;
   browser_version: string;
 }
+
+export interface AppPermission {
+  id: string;
+  name: string;
+  scope: string;
+  description: string;
+}
+
+export interface AppRole {
+  id: string;
+  name: string;
+  scope: string;
+  description: string;
+}