🛡️ EasyStream Role-Based Access Control (RBAC) System

getCurrentUser(); if ($currentUser && $rbac->hasPermission('user.manage')) { $result = $rbac->changeUserRole($userId, $newRole, $currentUser['user_id'], $reason); $message = $result ? 'Role changed successfully' : 'Failed to change role'; $messageType = $result ? 'success' : 'error'; } else { $message = 'Permission denied'; $messageType = 'error'; } } else { $message = 'Invalid CSRF token'; $messageType = 'error'; } break; case 'grant_permission': if (VSecurity::validateCSRFFromPost('admin_action')) { $userId = VSecurity::postParam('user_id', 'int'); $permission = VSecurity::postParam('permission', 'string'); $expiresAt = VSecurity::postParam('expires_at', 'string'); $currentUser = $auth->getCurrentUser(); if ($currentUser && $rbac->hasPermission('user.manage')) { $result = $rbac->grantPermission($userId, $permission, $currentUser['user_id'], $expiresAt ?: null); $message = $result ? 'Permission granted successfully' : 'Failed to grant permission'; $messageType = $result ? 'success' : 'error'; } else { $message = 'Permission denied'; $messageType = 'error'; } } else { $message = 'Invalid CSRF token'; $messageType = 'error'; } break; case 'revoke_permission': if (VSecurity::validateCSRFFromPost('admin_action')) { $userId = VSecurity::postParam('user_id', 'int'); $permission = VSecurity::postParam('permission', 'string'); $currentUser = $auth->getCurrentUser(); if ($currentUser && $rbac->hasPermission('user.manage')) { $result = $rbac->revokePermission($userId, $permission, $currentUser['user_id']); $message = $result ? 'Permission revoked successfully' : 'Failed to revoke permission'; $messageType = $result ? 'success' : 'error'; } else { $message = 'Permission denied'; $messageType = 'error'; } } else { $message = 'Invalid CSRF token'; $messageType = 'error'; } break; case 'suspend_user': if (VSecurity::validateCSRFFromPost('admin_action')) { $userId = VSecurity::postParam('user_id', 'int'); $reason = VSecurity::postParam('reason', 'string'); $expiresAt = VSecurity::postParam('expires_at', 'string'); $currentUser = $auth->getCurrentUser(); if ($currentUser && $rbac->hasPermission('user.ban')) { $result = $rbac->suspendUser($userId, $reason, $currentUser['user_id'], $expiresAt ?: null); $message = $result ? 'User suspended successfully' : 'Failed to suspend user'; $messageType = $result ? 'success' : 'error'; } else { $message = 'Permission denied'; $messageType = 'error'; } } else { $message = 'Invalid CSRF token'; $messageType = 'error'; } break; case 'ban_user': if (VSecurity::validateCSRFFromPost('admin_action')) { $userId = VSecurity::postParam('user_id', 'int'); $reason = VSecurity::postParam('reason', 'string'); $permanent = VSecurity::postParam('permanent', 'boolean', false); $currentUser = $auth->getCurrentUser(); if ($currentUser && $rbac->hasPermission('user.ban')) { $result = $rbac->banUser($userId, $reason, $currentUser['user_id'], $permanent); $message = $result ? 'User banned successfully' : 'Failed to ban user'; $messageType = $result ? 'success' : 'error'; } else { $message = 'Permission denied'; $messageType = 'error'; } } else { $message = 'Invalid CSRF token'; $messageType = 'error'; } break; case 'reinstate_user': if (VSecurity::validateCSRFFromPost('admin_action')) { $userId = VSecurity::postParam('user_id', 'int'); $reason = VSecurity::postParam('reason', 'string'); $currentUser = $auth->getCurrentUser(); if ($currentUser && $rbac->hasPermission('user.ban')) { $result = $rbac->reinstateUser($userId, $reason, $currentUser['user_id']); $message = $result ? 'User reinstated successfully' : 'Failed to reinstate user'; $messageType = $result ? 'success' : 'error'; } else { $message = 'Permission denied'; $messageType = 'error'; } } else { $message = 'Invalid CSRF token'; $messageType = 'error'; } break; } } // Display message if ($message) { echo "

{$message}

"; } // Check authentication status $isAuthenticated = $auth->isAuthenticated(); $currentUser = $auth->getCurrentUser(); ?>

Authentication Status: ✅ Authenticated as ❌ Not authenticated - Login here

🔐 Your Current Permissions

getUserPermissions($currentUser['user_id']); $allPermissions = VRBAC::PERMISSIONS; ?>

$description): ?>

🧪 Permission Testing

Test specific permissions with your current role:

hasPermission($permission); ?>

hasPermission('user.manage')): ?>

👥 User Management

Manage other users (Admin/Moderator only):

dbConnection(); $sql = "SELECT user_id, username, email, role, status, created_at, last_login FROM db_users ORDER BY created_at DESC LIMIT 10"; $result = $db->Execute($sql); ?> EOF): ?> MoveNext(); ?>

User	Role	Status	Last Login	Actions
fields['username']) ?> fields['email']) ?>	fields['role']) ?>	fields['status']) ?>	fields['last_login'] ? date('Y-m-d H:i', strtotime($result->fields['last_login'])) : 'Never' ?>	fields['user_id'] != $currentUser['user_id']): ?> You

You need to be logged in to see RBAC features. Login here

📋 Role Hierarchy & Permissions

EasyStream uses a hierarchical role system where higher roles inherit permissions from lower roles:

Role	Level	Key Permissions	Description
GUEST	0	content.view, comment.view	Unregistered users - can only view content
MEMBER	10	content.create, comment.create, upload.basic	Registered users - can create and interact
VERIFIED	20	content.publish, upload.document	Email verified users - can publish content
PREMIUM	30	upload.large_files, feature.beta	Premium subscribers - enhanced features
MODERATOR	40	content.moderate, comment.moderate	Community moderators - can moderate content
ADMIN	50	admin.dashboard, user.manage, user.ban	Site administrators - full management access
SUPERADMIN	60	admin.system, ALL PERMISSIONS	Super administrators - complete system access

🔧 Middleware Examples

The RBAC system includes middleware for protecting routes and API endpoints:

PHP Middleware Usage:

// Require authentication
$middleware->requireAuth();

// Require specific role
$middleware->requireRole('admin');

// Require specific permission
$middleware->requirePermission('content.moderate');

// Require multiple permissions (any)
$middleware->requirePermission(['content.edit', 'content.moderate']);

// Require content ownership
$middleware->requireContentOwnership($videoId, 'video');

// Chain multiple middleware
$middleware->requireAll([
    ['method' => 'requireAuth'],
    ['method' => 'requireRole', 'params' => ['verified']],
    ['method' => 'requirePermission', 'params' => ['content.create']]
]);

// API middleware
$middleware->requireAPI(true); // Require auth for API

Example Protected Routes:

// Admin dashboard
if (!$middleware->requireRole('admin')) {
    exit; // Redirects to access denied
}

// Content creation
if (!$middleware->requirePermission('content.create')) {
    exit; // Handles access denial
}

// User management
if (!$middleware->requirePermission('user.manage')) {
    exit;
}

🛡️ Security Features

Hierarchical Roles: Higher roles inherit lower role permissions
Custom Permissions: Grant specific permissions to individual users
Permission Expiration: Set expiration dates for temporary permissions
Context-Based Access: Content ownership and contextual permissions
Audit Logging: All role changes and permission grants are logged
Session Integration: Seamless integration with authentication system
Middleware Protection: Easy route and API protection
Caching: Permission caching for performance
User Management: Suspend, ban, and reinstate users
API Integration: Full API support with permission checking

🛡️ EasyStream Role-Based Access Control (RBAC) System

🔐 Your Current Permissions

🧪 Permission Testing

👥 User Management

Manage User:

Change Role

Grant Custom Permission

Suspend User

Ban User

Reinstate User

📋 Role Hierarchy & Permissions

🔧 Middleware Examples

PHP Middleware Usage:

Example Protected Routes:

🛡️ Security Features