Permissions (Roles)
User permission levels are defined in /config inside the permissions object. Here you can define a multi-level tier of user access levels.
Default Permissions
Out-of-the-box, Gravity includes master (for Mission Control), owner, admin, user and developer roles.
Client Permissions
The same permission object is included inside client/src/permissions.json. You must use both files, as the React client runs independently to the server. You can also define different permissions for the client UI if you need to.
How Permissions Work
The permission is stored in the JWT, so you can verify user actions at the API level based on this permission.
The permission level is also stored in the UI context, so you can show or hide features depending on the user's permission level.
You should only use the permission stored in the client context for visceral purposes and ALWAYS use the API to control access. Savvy users can modify this permission and reveal hidden UI features. Using the API will prohibit them from performing an action they do not have permission to do.
What Each Permission Can Do
Below is a breakdown of what each user permission can do by default. You can customise this logic to suit your own requirements.
Each account can only have one owner but as many admins, users and developers as you need.
Master
view all accounts and all users
edit any account and any user
view application logs
view user feedback
Owner
can edit billing details
can close the account
can invite admins, users and developers
can promote a user to admin
can demote an admin to user
can edit admins, users and developers
can create, update and delete API keys
Admin
can invite users
can edit users
can promote a user to admin
User
can view/edit/delete data that they are permitted to
Developer
everything a user can do plus update and delete API keys
Last updated