Role-Based Access Control (RBAC)
BarakoCMS v2.0 introduces an advanced RBAC system with granular permissions and dynamic conditions.
Concepts
- Roles: Collections of permissions (e.g., "Editor", "HR Manager").
- UserGroups: Organized groups of users (e.g., "Marketing Team").
- Permissions: Granular control (
Create,Read,Update,Delete) per Content Type. - System Capabilities: Global flags for non-content actions (e.g.,
view_analytics).
Authentication
All management APIs require a Bearer Token.
1. Obtain Token
POST /api/auth/login
json
{
"username": "admin",
"password": "yourpassword"
}Response:
json
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expiry": "2025-12-17T12:00:00Z"
}2. Authorization Header
Include the token in all subsequent requests: Authorization: Bearer <TOKEN>
IMPORTANT
Token Validation: The API enforces strict validation of Issuer and Audience. Ensure your environment variables (JWT:Issuer, JWT:Audience) match properly in production configuration to avoid 401 Unauthorized errors.
3. Claims
The token generated by /api/auth/login includes standard claims:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role: (e.g.Admin,Editor,User)UserId: Internal GUIDUsername: Login name
System-level endpoints (like Schema Management) verify the Role Claim directly.
API Endpoints
Role Management
bash
POST /api/roles # Create role
GET /api/roles # List roles
GET /api/roles/{id} # Get role
PUT /api/roles/{id} # Update role
DELETE /api/roles/{id} # Delete roleUserGroup Management
bash
POST /api/user-groups # Create group
GET /api/user-groups # List groups
GET /api/user-groups/{id} # Get group
PUT /api/user-groups/{id} # Update group
DELETE /api/user-groups/{id} # Delete group
POST /api/user-groups/{id}/users # Add user to group
DELETE /api/user-groups/{id}/users/{userId} # Remove userExample: Creating a Restricted Role
This example creates a "Content Editor" role that can only edit their own articles.
bash
POST /api/roles
Authorization: Bearer {ADMIN_TOKEN}
{
"name": "Content Editor",
"description": "Can edit own articles",
"permissions": [{
"contentTypeSlug": "article",
"create": { "enabled": true },
"read": { "enabled": true },
"update": {
"enabled": true,
"conditions": { "author": { "_eq": "$CURRENT_USER" } } // Condition!
},
"delete": { "enabled": false }
}]
}