cobol-java-v3/.claude/skills/code-review/references/manual-review/permission.md

Permission Module — Manual Review Checklist

RBAC Model

• Roles and permissions clearly defined and documented
• No permission inheritance cycles
• Super admin role cannot be accidentally assigned to regular users
• Role changes are logged

Authorization Enforcement

• Every protected endpoint checks permissions (not just login state)
• Resource-level permissions: user can only access own data
• Admin endpoints segregated from user endpoints (different middleware chain)

Horizontal Escalation

• User A cannot access User B's resources by changing ID in request
• Resource ownership verified on every request (not just at list level)
• Bulk operations check permissions per-item, not just the batch endpoint

Vertical Escalation

• Regular users cannot perform admin actions
• Role checks happen server-side (not trusting client-claimed role)
• Privileged operations require re-authentication

Token Strategy

• Access token: short-lived (15-60 min)
• Refresh token: long-lived, stored securely (httpOnly cookie)
• Token rotation on refresh (old refresh token invalidated)
• Token revocation mechanism (logout invalidates all user tokens)