Add RBAC, auth, and enriched admin resource views#1
Open
otontraore wants to merge 5 commits into
Open
Conversation
- Added login and logout functionality with session management. - Created a new page for user login with error handling. - Introduced roles and permissions system with CRUD operations. - Updated router to handle new authentication routes. - Enhanced existing pages to check user permissions for actions. - Added tests for new routes and query parameters handling. - Updated OpenAPI specification to include new endpoints and schemas. - Created fixtures for roles, permissions, and users for testing.
- Implemented resource ranking and comparison functions for sorting resources in a case-insensitive manner. - Updated JSON resource sorting to utilize the new comparison logic. - Added navigation label setting for better user experience in page layout. - Introduced a new role for authors with specific permissions. - Modified user fixture to include authors and adjusted author IDs. - Updated OpenAPI documentation to reflect changes in user and author management. - Removed unused author fixture file. - Enhanced CSS styles for navigation and footer elements.
There was a problem hiding this comment.
Pull request overview
This PR introduces session-backed authentication and RBAC concepts across the Express API and the COBOL admin UI, and enriches several admin-facing resource views (authors/posts/users) to include derived display data and timestamps.
Changes:
- Added RBAC domain resources (users/roles/permissions) and auth endpoints (login/logout/me) to the API and OpenAPI spec.
- Updated the COBOL admin to support login/logout, permission-aware navigation, and CRUD UI guards.
- Reworked “authors” to be read-only users with an
authorrole; enriched post responses with author display names and tag names; addedupdatedAtwhere applicable.
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| server/openapi.json | Adds auth/RBAC endpoints and schemas; updates Author/Post/User shapes and timestamps. |
| server/index.js | Adds in-memory sessions, auth endpoints, user/post “public” views, and new CRUD routes for RBAC resources. |
| server/fixtures/users.js | Seeds staff + 100 authors as users with timestamps. |
| server/fixtures/roles.js | Seeds roles and permission assignments (admin/editor/reader/author). |
| server/fixtures/posts.js | Updates seeded posts to reference author users and adds updatedAt. |
| server/fixtures/permissions.js | Seeds permission catalog used by roles/RBAC UI. |
| server/fixtures/comments.js | Adds updatedAt to seeded comments. |
| server/fixtures/authors.js | Removes legacy authors fixture (authors now come from users). |
| cobol/tests/test-router.cbl | Adds router tests for query params and login/logout routes. |
| cobol/tests/test-pages.cbl | Updates layout tests to pass auth context into PAGE-LAYOUT. |
| cobol/templates/layout.html | Adds footer links to the layout template. |
| cobol/static/style.css | Adds footer styling and .nav-user; adjusts nav styling. |
| cobol/run-tests.sh | Compiles/links the new PAGE-LOGIN module during test runs. |
| cobol/router.cbl | Adds /login and /logout routing; hardens query param parsing. |
| cobol/page-show.cbl | Hides the Edit button unless update permission is present. |
| cobol/page-login.cbl | Adds a login page renderer with error state. |
| cobol/page-list.cbl | Hides Create unless permitted; hides users.roleId column; threads auth permissions. |
| cobol/page-layout.cbl | Filters nav links by read permission; shows logged-in user + logout link. |
| cobol/page-edit.cbl | Hides Delete unless permitted; improves array field handling for inputs. |
| cobol/page-create.cbl | Enables array field inputs (with [] and placeholder) instead of skipping them. |
| cobol/main.cbl | Adds auth resolution, login/logout handling, and per-route permission enforcement. |
| cobol/helpers.c | Adds auth helpers (login/me/can/check), form-to-JSON array support, and resource sorting tweaks. |
| cobol/Dockerfile | Builds/links PAGE-LOGIN and normalizes CRLF before running tests. |
| cobol/copybooks/ws-route.cpy | Adds ROUTE-LOGIN and ROUTE-LOGOUT flags. |
| cobol/copybooks/ws-auth.cpy | Adds shared auth working-storage fields (sid/user/role/permissions). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } | ||
| db[resource].push(item); | ||
| res.status(201).json(item); | ||
| res.status(201).json(resource === "users" ? publicUser(item) : item); |
Comment on lines
+137
to
+138
| if (timestamped) db[resource][idx].updatedAt = now; | ||
| res.json(resource === "users" ? publicUser(db[resource][idx]) : db[resource][idx]); |
Comment on lines
+212
to
+214
| const sessionId = `${Date.now().toString(36)}-${Math.random().toString(36).slice(2)}`; | ||
| sessions.set(sessionId, { userId: user.id, createdAt: new Date().toISOString() }); | ||
| res.json({ sessionId, ...authPayload(user) }); |
Comment on lines
+195
to
+199
| app.use("/posts", crud("posts", true)); | ||
| app.use("/comments", crud("comments", true)); | ||
| app.use("/permissions", crud("permissions")); | ||
| app.use("/roles", crud("roles")); | ||
| app.use("/users", crud("users", true)); |
Author
|
@copilot apply changes based on the comments in this thread |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Author
|
@copilot apply changes based on the comments in this thread |
Author
|
@copilot apply changes based on the comments in this thread |
Author
|
I addressed the main review points:
Ready for another review. |
otontraore
commented
May 20, 2026
otontraore
left a comment
otontraore
left a comment
Author
There was a problem hiding this comment.
@ThieryMichel benwinding Could you please review this PR again when you have a moment?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
authorrole, enrich post list/show responses with author and tag names, and add timestamps where usefulVerification
docker compose build coboldocker compose up -d --buildadmin/admin