Migration: Role → Permissions

Changes Completed ✅

1. ✅ Consolidated database migration (0031_permissions) - includes:

   • Creation of permissions system (tables, plans, permissions, limits)
   • Removal of role field from users table
   • Removal of social fields (website, instagram, facebook, thread) from users table (already migrated to user_metadata)
   • Automatic migration of existing ADMIN users to ENTERPRISE plan with ADMIN_ACCESS permission

2. ✅ Database types updated (removal of role in UserTable)

3. ✅ Permission helpers created (verifyAdmin, isUserAdmin, verifyPermission, verifyLimit)

4. ✅ app.controller.ts updated (all role checks replaced by @RequirePermission('ADMIN_ACCESS'))

5. ✅ users.service.ts updated:

   • Removed role parameter from create()
   • Removed role from updateUser()
   • promoteToAdmin() marked as deprecated (now uses PermissionsService)

6. ✅ users.controller.ts updated:

   • Removed role from createUser() endpoint
   • promoteToAdmin() now uses PermissionsService.assignSubscription() to assign ENTERPRISE plan
   • All req.user.role !== "ADMIN" checks replaced by @RequirePermission("ADMIN_ACCESS")
   • Removed role from updateUser() endpoint

7. ✅ auth.service.ts updated:

   • Removed role from AuthenticatedUser interface
   • Removed role: row.role ?? "MEMBER" from toAuthUser()

8. ✅ OpenAPI schemas updated:

   • Removed role from User schema
   • Removed role from CreateUserRequest
   • Removed role from UpdateUserRequest
   • Removed role from AuthenticatedUser
   • Removed UserRole enum

9. ✅ OpenAPI types regenerated (npm run openapi:generate)

10. ✅ Documentation created:

    • PERMISSIONS_ARCHITECTURE.md - Architecture and decisions
    • backend/src/permissions/README.md - Permissions module documentation
    • agents.md - Permission rules and scalability

Remaining Changes ⚠️

Tests

To modify:

• __tests__/auth.service.spec.ts: Remove assertions on role in test objects

Recommended Execution Order

1. ✅ Database migrations (consolidated in 0031_permissions)
2. ✅ Database types
3. ✅ Permission helpers
4. ✅ app.controller.ts
5. ✅ auth.service.ts
6. ✅ users.service.ts
7. ✅ users.controller.ts
8. ✅ OpenAPI schemas
9. ✅ OpenAPI types regenerated
10. ⚠️ Tests (to do)

Important Notes

• Consolidated migration: The migration 0031_permissions includes everything (permissions + role removal + social fields removal)
• Automatic migration: Existing ADMIN users are automatically migrated to ENTERPRISE plan with ADMIN_ACCESS permission
• Default plan: Users without subscriptions will have FREE plan by default
• ADMIN_ACCESS permission: Assigned to all plans (to allow admins to have any plan)
• Social fields: Removed from users as already migrated to user_metadata in migration 0027_user_metadata_company

Usage

Check if a user is admin

const isAdmin = await this.permissionsService.hasPermission(
  userId,
  "ADMIN_ACCESS"
);

Promote a user to admin

const enterprisePlan = await this.permissionsService.getPlanByCode(
  "ENTERPRISE"
);
await this.permissionsService.assignSubscription(
  userId,
  enterprisePlan.id,
  "ACTIVE"
);

Protect an admin endpoint

@UseGuards(AuthGuard('jwt'), ActiveUserGuard, PermissionGuard)
@RequirePermission('ADMIN_ACCESS')
async adminEndpoint() {
  // ...
}