feat: role-based permissions (owner/partner/associate/paralegal/secretary)

Backend: - auth/permissions.go: full permission matrix with RequirePermission/RequireRole middleware, CanEditCase, CanDeleteDocument helpers - auth/context.go: add user role to request context - auth/middleware.go: resolve role alongside tenant in auth flow - auth/tenant_resolver.go: verify membership + resolve role for X-Tenant-ID - handlers/case_assignments.go: CRUD for case-level user assignments - handlers/tenant_handler.go: UpdateMemberRole, GetMe (/api/me) endpoints - handlers/documents.go: permission-based delete (own vs all) - router/router.go: permission-wrapped routes for all endpoints - services/case_assignment_service.go: assign/unassign with tenant validation - services/tenant_service.go: UpdateMemberRole with owner protection - models/case_assignment.go: CaseAssignment model Database: - user_tenants.role: CHECK constraint (owner/partner/associate/paralegal/secretary) - case_assignments table: case_id, user_id, role (lead/team/viewer) - Migrated existing admin->partner, member->associate Frontend: - usePermissions hook: fetches /api/me, provides can() helper - TeamSettings: 5-role dropdown, role change, permission-gated invite - CaseAssignments: new component for case-level team management - Sidebar: conditionally hides AI/Settings based on permissions - Cases page: hides "Neue Akte" button for non-authorized roles - Case detail: new "Mitarbeiter" tab for assignment management
2026-03-30 11:04:57 +02:00
parent 82878dffd5
commit 0a0ec016d8
20 changed files with 1068 additions and 104 deletions
--- a/backend/internal/auth/middleware.go
+++ b/backend/internal/auth/middleware.go
@@ -36,15 +36,19 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {

 		ctx := ContextWithUserID(r.Context(), userID)

-		// Resolve tenant from user_tenants
-		var tenantID uuid.UUID
-		err = m.db.GetContext(r.Context(), &tenantID,
-			"SELECT tenant_id FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
+		// Resolve tenant and role from user_tenants
+		var membership struct {
+			TenantID uuid.UUID `db:"tenant_id"`
+			Role     string    `db:"role"`
+		}
+		err = m.db.GetContext(r.Context(), &membership,
+			"SELECT tenant_id, role FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
 		if err != nil {
 			http.Error(w, "no tenant found for user", http.StatusForbidden)
 			return
 		}
-		ctx = ContextWithTenantID(ctx, tenantID)
+		ctx = ContextWithTenantID(ctx, membership.TenantID)
+		ctx = ContextWithUserRole(ctx, membership.Role)

 		next.ServeHTTP(w, r.WithContext(ctx))
 	})