Skip to main content
API Route RBAC Enforcement protects workspace-scoped resources by requiring valid membership before allowing access to any workspace endpoints. API Route RBAC Enforcement protects workspace-scoped resources by requiring valid membership before allowing access to any workspace endpoints.
The user calls workspace-scoped routes; middleware checks membership and role before any mutation runs.

Quick Start

1

Protected Route Access

2

Membership Validation

3

Role-based Access Control


How It Works


Implementation Details

RBAC Dependency

The require_workspace_member dependency replaces get_current_user in all workspace-scoped routes:

Dependency Configuration

Role Hierarchy


Protected Routes

All workspace-scoped API routes now enforce membership:

Core Resources

Project Management

Issue Tracking

Agent Management


Breaking Change: If you have an existing client that mutates workspaces, members, agents, or issues as a non-admin member, those calls now return 403. Grant the calling user the admin (or owner where required) role first.

Owner-only Sub-checks

Beyond the base role requirements, certain operations require additional owner privileges:

Member Management with Owner Role

Example Owner-only Operations

Cross-workspace Access (IDOR)

The ensure_resource_in_workspace function prevents cross-workspace resource access by returning 404 (not 403) when a resource exists but belongs to a different workspace.

Protected Resources

This prevents enumeration of resource IDs across workspaces by making cross-workspace resources appear non-existent.

Error Responses

403 Forbidden - Non-Member

When a valid user attempts to access a workspace they’re not a member of:

403 Forbidden - Insufficient Role

When a member lacks the required role level:

403 Forbidden - Owner Role Required

When an admin attempts to assign admin or owner roles:

401 Unauthorized

When authentication fails (invalid/missing token):

API Testing

Valid Member Access

Non-Member Access

Role-based Access


Migration Impact

Behavior Changes

Client Impact


Best Practices

Always handle 403 Forbidden responses in client applications. Display user-friendly messages when workspace access is denied rather than generic error messages.
Configure route dependencies with the minimum required role. Don’t require admin for operations that member can safely perform.
Check user workspace membership before displaying UI elements like “Create Project” buttons to prevent unsuccessful API calls.
Log and monitor 403 responses to identify potential security issues or UX problems with workspace access patterns.

Testing

Verify RBAC enforcement with the integration test suite:
Expected test scenarios:
  • Non-member 403 responses on all workspace routes
  • Member access granted for basic operations
  • Admin role enforcement for management operations
  • Owner role enforcement for destructive operations

Team Members & RBAC

Learn about workspace member management

Authentication

Understand JWT token authentication