Roles & Permissions
Adonis EOS uses a file-based Role-Based Access Control (RBAC) system for granular permissions management.
Default Roles
Administrator
Role: admin
Access: Full system access
Administrators can:
✅ Access all admin sections
✅ Manage users and roles
✅ Configure system settings
✅ Export/import database
✅ Publish and delete any content
✅ Override all restrictions
Editor Admin
Role: editor_admin
Access: Content management + publishing
Editor Admins can:
✅ Create, edit, publish content
✅ Approve reviews and AI reviews
✅ Manage media, menus, forms
✅ Configure AI agents
✅ Access activity logs
❌ Manage users or system settings
❌ Export/import database
Perfect for content managers who need publishing power.
Editor
Role: editor
Access: Content creation and editing
Editors can:
✅ Create and edit content
✅ Save drafts for review
✅ Save for AI review
✅ Manage media uploads
✅ Edit menus and forms
❌ Publish content
❌ Approve reviews
❌ Manage users
Ideal for content creators who need review before publishing.
Translator
Role: translator
Access: Translation-focused, read-mostly
Translators can:
✅ View all content
✅ Edit translatable fields
✅ Save drafts for review
✅ View media library
❌ Upload or delete media
❌ Publish content
❌ Edit non-translatable settings
Designed for translation teams.
Permission System
Permission Keys
Permissions follow a hierarchical naming pattern:
{section}.{action}
Examples:
- posts.create
- posts.edit
- posts.publish
- posts.delete
- media.upload
- media.delete
- admin.settings.view
- admin.settings.updateGranular Permissions
Content Permissions
posts.create- Create new postsposts.edit- Edit existing postsposts.view- View posts (own or all)posts.publish- Publish postsposts.delete- Delete postsposts.review.save- Save to review modeposts.review.approve- Approve review changesposts.ai-review.save- Save for AI reviewposts.ai-review.approve- Approve AI review changes
Media Permissions
media.upload- Upload new mediamedia.view- View media librarymedia.edit- Edit media metadatamedia.replace- Replace media filesmedia.delete- Delete media
Admin Permissions
admin.access- Access admin paneladmin.users.manage- User managementadmin.settings.view- View settingsadmin.settings.update- Update settingsadmin.database.export- Export databaseadmin.database.import- Import database
Creating Custom Roles
1. Generate Role File
node ace make:role content_managerCreates app/roles/content_manager.ts
2. Define Permissions
import type { RoleDefinition } from '#types/role_types'
const contentManagerRole: RoleDefinition = {
name: 'content_manager',
label: 'Content Manager',
description: 'Manages content with publishing rights',
permissions: [
// Content
'posts.create',
'posts.edit',
'posts.view',
'posts.publish',
'posts.delete',
'posts.review.approve',
// Media
'media.upload',
'media.view',
'media.edit',
'media.delete',
// Menus & Forms
'menus.view',
'menus.edit',
'forms.view',
'forms.edit',
// Admin access
'admin.access',
],
}
export default contentManagerRole3. Role Automatically Registered
The role is automatically registered on server startup from start/roles.ts.
4. Assign to Users
In the admin panel:
Go to
/admin/usersEdit a user
Select the new role from dropdown
Save
Checking Permissions
Backend (Controllers)
import roleRegistry from '#services/role_registry'
import authorizationService from '#services/authorization_service'
// Direct permission check
if (!roleRegistry.hasPermission(user.role, 'posts.publish')) {
return response.forbidden({ error: 'Cannot publish posts' })
}
// Via authorization service
if (!authorizationService.canPublish(user)) {
return response.forbidden({ error: 'Cannot publish' })
}Frontend (React)
import { useHasPermission } from '~/utils/permissions'
function PostEditor() {
const canPublish = useHasPermission('posts.publish')
const canDelete = useHasPermission('posts.delete')
return (
<>
{canPublish && <button>Publish</button>}
{canDelete && <button>Delete</button>}
</>
)
}Workflow Examples
Review Workflow
Editor creates content
Editor clicks "Save for Review"
Editor Admin reviews changes
Editor Admin clicks "Approve Review"
Content is published
AI Review Workflow
Editor creates content
AI Agent suggests improvements
Changes saved to "AI Review" mode
Editor Admin reviews AI suggestions
Editor Admin approves or rejects
Translation Workflow
Editor creates content in English
Translator views English version
Translator edits translatable fields
Translator saves draft for review
Editor Admin approves and publishes
Best Practices
Security
Principle of least privilege - Only grant needed permissions
Regular audits - Review user roles periodically
Use service methods - Don't bypass permission checks
Test thoroughly - Verify restrictions work as expected
Organization
Clear role names - Use descriptive labels
Document roles - Explain intended use case
Consistent naming - Follow permission key patterns
Group permissions - Organize by feature area
Troubleshooting
Issue: User can't access admin
Solution: Ensure role has
admin.accesspermission
Issue: Editor can publish (shouldn't)
Solution: Remove
posts.publishfrom editor role definition
Issue: Custom role not appearing
Solution: Restart server to register new role files
Issue: Permission check failing unexpectedly
Solution: Check exact permission key spelling and role name
Activity Logging
All actions are logged with user and role information:
View logs at /admin/activity (admin only)
Logged events:
Content created, updated, published, deleted
Media uploaded, replaced, deleted
Settings changed
Users added, removed, role changed