Quick Start
1
Protected Route Access
2
Membership Validation
3
Role-based Access Control
How It Works
Implementation Details
RBAC Dependency
Therequire_workspace_member dependency replaces get_current_user in all workspace-scoped routes:
Dependency Configuration
Role Hierarchy
Protected Routes
All workspace-scoped API routes now enforce membership:Core Resources
Project Management
Issue Tracking
Agent Management
Owner-only Sub-checks
Beyond the base role requirements, certain operations require additional owner privileges:Member Management with Owner Role
Example Owner-only Operations
Cross-workspace Access (IDOR)
Theensure_resource_in_workspace function prevents cross-workspace resource access by returning 404 (not 403) when a resource exists but belongs to a different workspace.
Protected Resources
This prevents enumeration of resource IDs across workspaces by making cross-workspace resources appear non-existent.
Error Responses
403 Forbidden - Non-Member
When a valid user attempts to access a workspace they’re not a member of:403 Forbidden - Insufficient Role
When a member lacks the required role level:403 Forbidden - Owner Role Required
When an admin attempts to assign admin or owner roles:401 Unauthorized
When authentication fails (invalid/missing token):API Testing
Valid Member Access
Non-Member Access
Role-based Access
Migration Impact
Behavior Changes
Client Impact
Best Practices
Use Appropriate Role Requirements
Use Appropriate Role Requirements
Configure route dependencies with the minimum required role. Don’t require
admin for operations that member can safely perform.Validate Membership Before UI Actions
Validate Membership Before UI Actions
Check user workspace membership before displaying UI elements like “Create Project” buttons to prevent unsuccessful API calls.
Testing
Verify RBAC enforcement with the integration test suite:- Non-member 403 responses on all workspace routes
- Member access granted for basic operations
- Admin role enforcement for management operations
- Owner role enforcement for destructive operations
Related
Team Members & RBAC
Learn about workspace member management
Authentication
Understand JWT token authentication

