# Permission Module — Manual Review Checklist

## RBAC Model
- [ ] Roles and permissions clearly defined and documented
- [ ] No permission inheritance cycles
- [ ] Super admin role cannot be accidentally assigned to regular users
- [ ] Role changes are logged

## Authorization Enforcement
- [ ] Every protected endpoint checks permissions (not just login state)
- [ ] Resource-level permissions: user can only access own data
- [ ] Admin endpoints segregated from user endpoints (different middleware chain)

## Horizontal Escalation
- [ ] User A cannot access User B's resources by changing ID in request
- [ ] Resource ownership verified on every request (not just at list level)
- [ ] Bulk operations check permissions per-item, not just the batch endpoint

## Vertical Escalation
- [ ] Regular users cannot perform admin actions
- [ ] Role checks happen server-side (not trusting client-claimed role)
- [ ] Privileged operations require re-authentication

## Token Strategy
- [ ] Access token: short-lived (15-60 min)
- [ ] Refresh token: long-lived, stored securely (httpOnly cookie)
- [ ] Token rotation on refresh (old refresh token invalidated)
- [ ] Token revocation mechanism (logout invalidates all user tokens)