BoardKitBackend
PermissionService
Role-based access control with viewer/editor/owner hierarchy
PermissionService enforces role-based access control across all controllers and the WebSocket gateway.
Role Hierarchy
viewer (0) < editor (1) < owner (2)Access checks compare the user's role level against the required role level. A user with a higher role automatically satisfies lower role requirements.
Methods
checkAccess
Checks if a user has at least the required role on a board. Board owners automatically pass all checks.
async checkAccess(boardId: string, userId: string, requiredRole: string): Promise<boolean>;const canView = await permissionService.checkAccess(boardId, userId, 'viewer');
const canEdit = await permissionService.checkAccess(boardId, userId, 'editor');
const isOwner = await permissionService.checkAccess(boardId, userId, 'owner');addMember
Adds or updates a member's role on a board.
async addMember(boardId: string, userId: string, role: string): Promise<void>;removeMember
Removes a member from a board.
async removeMember(boardId: string, userId: string): Promise<void>;createShareLink
Creates a share link with view or edit permissions.
async createShareLink(
boardId: string,
permission: string,
expiresAt?: string,
): Promise<ShareLink>;resolveShareLink
Resolves a share token to a board ID and permission level. Returns null if the token is invalid or expired.
async resolveShareLink(token: string): Promise<{ boardId: string; permission: string } | null>;Where Permissions Are Enforced
| Location | Required Role |
|---|---|
BoardController — view board | viewer |
BoardController — update/delete board | owner |
PageController — all operations | editor |
AssetController — upload | editor |
ExportController — export | viewer |
ShareController — create/delete links | owner |
BoardGateway — join session | viewer |
BoardGateway — send mutations | editor |
BoardGateway — cursor broadcast | viewer |