RBAC & Permissions

Top G & AI Velocity Feature

Full RBAC system is available in Top G and AI Velocity tiers only.
See tier comparison

Plan-based role and feature access control system.

How It Works

1. User purchases plan or subscribes
2. Webhook updates user's current_plan field
3. Permissions automatically granted based on plan
4. Features check permissions before access

Plan Types

# app/permissions.py
class PlanType(enum.Enum):
    FREE = "free"
    STARTER = "starter"          # One-time purchase
    PRO = "pro"                  # One-time purchase
    PREMIUM = "premium"          # Monthly subscription
    ENTERPRISE = "enterprise"    # Monthly subscription

Feature Permissions

Example permissions by tier:

Starter:

• BASIC_ARTICLES
• ARTICLE_MANAGEMENT
• BASIC_ANALYTICS

Pro:

• All Starter features +
• ADVANCED_DASHBOARD
• ADVANCED_ANALYTICS
• API_ACCESS

Premium:

• All Pro features +
• PREMIUM_INTEGRATIONS
• ADVANCED_REPORTING

Enterprise:

• All Premium features +
• CUSTOM_INTEGRATIONS
• TEAM_MANAGEMENT
• AUDIT_LOGS

Full permission list

Usage

Backend (FastAPI)

from app.core.access_control import PlanChecker, get_user_current_plan

# In service method
user = await self.db.get(User, user_id)
current_plan = await get_user_current_plan(user, self.db)
checker = PlanChecker(user, self.db, current_plan)

# Require permission (raises 403 if denied)
checker.require_permission(FeaturePermission.ADVANCED_ANALYTICS)

# Check permission (returns bool)
if checker.has_permission(FeaturePermission.PREMIUM_INTEGRATIONS):
    # Show premium features

Frontend (React)

import { PermissionGuard } from '@/components/PermissionGuard';

<PermissionGuard feature="advanced_analytics">
  <AdvancedAnalytics />
</PermissionGuard>

// Shows upgrade prompt if user lacks permission

Payment Integration

When payment succeeds, permissions update automatically:

# Webhook handler
async def _handle_checkout_completed(self, session):
    # 1. Create subscription/purchase record
    subscription = Subscription(...)
    self.db.add(subscription)

    # 2. Update user plan (CRITICAL)
    from app.core.access_control import update_user_plan
    new_plan = await update_user_plan(user, self.db)

    # 3. Commit
    self.db.commit()

    # User now has new permissions

Common Issues

Problem: User paid but doesn't have access
Solution: Verify webhook called update_user_plan()

Problem: Permission check fails
Solution: Check user's current_plan field is set correctly

Problem: Frontend shows feature but backend denies
Solution: Ensure permission checks match in both

Related Documentation

• Stripe Payments - How payments trigger permissions
• Analytics - Permission-gated analytics
• Integrations - Permission-gated integrations
• API Reference - Protected endpoints

Files Reference

• app/permissions.py - Plan types & feature permissions
• app/core/access_control.py - Permission checking logic
• frontend/src/components/PermissionGuard.tsx - Frontend guard
• app/services/webhook_handler.py - Payment-to-permission flow