Flow Docs

PERMISSION_SYSTEM

2 min read

User Role & Permission System Documentation

Overview

Flow implements a strictly segregated Role-Based Access Control (RBAC) system to distinguish between Personal Users (App-only) and Business Vendors (Web & App).

User Roles

The role column in the users table determines capabilities:

RoleDescriptionWeb Dashboard AccessMobile App Access
userStandard personal user. Can create small events.Blocked (Redirects to /upgrade)Full Access
vendorBusiness/Venue owner. Advanced event tools.Vendor Dashboard (/vendor/*)Full Access
adminSystem administrator.Admin Dashboard (/admin/*)Full Access
moderatorContent moderator.Admin Dashboard (Restricted)Full Access

Implementation Details

1. Registration (Mobile)

  • Location: RegisterScreen.dart
  • Logic: Users select “Personal” or “Business” during sign-up.
    • Personal role: 'user'
    • Business role: 'vendor' (Note: Production may require manual approval flow)

2. Web Access Control (Middleware)

  • Location: middleware.ts
  • Logic:
    • Intercepts all requests to /admin/* and /vendor/*.
    • Fetches user role from Supabase.
    • Enforcement:
      • If role == 'user': Redirect to /upgrade.
      • If role == 'vendor' tries /admin: Redirect to /vendor/dashboard.
      • If role != 'vendor' tries /vendor: Redirect to /admin/dashboard (unless Admin).

3. Event Management

  • Mobile: MyEventsScreen allows both roles to manage events.
  • Web: Only vendor and admin can manage events via the Event Wizard.

Testing Verification

  • Test 1: Register as “Personal” on mobile Try to log in to Admin Portal Should see Upgrade Page.
  • Test 2: Register as “Business” on mobile Log in to Admin Portal Should see Vendor Dashboard.

Graph View