VENI-AI Docs

Appearance

Authorization (RBAC)

Shell uses Casbin for role-based access control. Permissions follow the resource:action pattern and are enforced via the @authorize() decorator and an RBAC middleware.

How it works 

Request → JwtAuthStrategy (verify token) → RBACMiddleware (inject RBACService) → @authorize() decorator → handler

The Casbin model file is loaded from config/rbac_model.conf relative to process.cwd():

  • Dev: shell/api/config/rbac_model.conf
  • Prod (K8s): /app/config/rbac_model.conf

tsc does not copy .conf files

rbac_model.conf lives in shell/api/config/ (outside src/). The Dockerfile explicitly copies it: COPY shell/api/config ./config. Do not move it inside src/.

@authorize() usage

typescript
import { authorize } from '@/middleware/rbac.middleware';

@api({ basePath: '/api/users' })
export class UserController extends BaseController {

  @get('/')
  @authorize(['users:list'])
  async listUsers(ctx: Context) { ... }

  @post('/')
  @authorize(['users:write'])
  async createUser(ctx: Context) { ... }

  @del('/:id')
  @authorize(['users:delete'])
  async deleteUser(ctx: Context) { ... }
}

Pass multiple permissions to require all of them:

typescript
@authorize(['users:write', 'organizations:read'])

Permission reference

PermissionDescription
users:listList all users
users:readRead user detail
users:writeCreate or update users
users:deleteDelete users
roles:listList roles
roles:readRead role detail
roles:writeCreate or update roles
roles:deleteDelete roles
permissions:listList all permissions
permissions:readRead permission detail
apps:listList registered services
apps:readRead service detail
apps:writeRegister or update services
apps:deleteDelete services
organizations:listList organizations
organizations:readRead org detail
organizations:writeUpdate organizations
onboarding:listList onboarding requests
onboarding:readRead request detail
onboarding:approveApprove onboarding request
onboarding:rejectReject onboarding request
plans:listList subscription plans
plans:readRead plan detail
plans:writeCreate or update plans
subscriptions:readRead subscription status
subscriptions:writeManage subscriptions
subscriptions:adminAdmin override subscription
settings:readRead platform settings
settings:writeUpdate platform settings

Managing policies via API

Assign permissions to roles:

http
POST /api/roles/:id/permissions
Authorization: Bearer <shell-jwt>
Content-Type: application/json

{ "permissionIds": ["perm-uuid-1", "perm-uuid-2"] }

Assign roles to users:

http
POST /api/users/:id/roles
Authorization: Bearer <shell-jwt>
Content-Type: application/json

{ "roleIds": ["role-uuid"] }

© 2025-2026 VENIZIA AI