feat: enforce RBAC in RPC dispatcher

Check user role against method permissions before dispatch. All current users default to Admin, laying groundwork for multi-user. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 04:32:59 +00:00
parent 299357e908
commit ef58b2ad18
2 changed files with 24 additions and 1 deletions
--- a/core/archipelago/src/api/rpc/mod.rs
+++ b/core/archipelago/src/api/rpc/mod.rs
@@ -242,6 +242,29 @@ impl RpcHandler {
            }
        }

+        // RBAC: check if the user's role allows this method
+        if !is_unauthenticated {
+            if let Ok(Some(user)) = self.auth_manager.get_user().await {
+                if !user.role.can_access(&rpc_req.method) {
+                    let rpc_resp = RpcResponse {
+                        result: None,
+                        error: Some(RpcError {
+                            code: 403,
+                            message: "Forbidden: insufficient permissions".to_string(),
+                            data: None,
+                        }),
+                    };
+                    let resp_body = serde_json::to_vec(&rpc_resp)
+                        .context("Failed to serialize response")?;
+                    return Ok(Response::builder()
+                        .status(StatusCode::FORBIDDEN)
+                        .header("Content-Type", "application/json")
+                        .body(hyper::Body::from(resp_body))
+                        .unwrap());
+                }
+            }
+        }
+
        // CSRF protection: validate X-CSRF-Token header for authenticated methods
        if !is_unauthenticated {
            let csrf_cookie = extract_csrf_cookie(&parts.headers);