Feat/company team roles and invite flow

[codeunia-dev]

This pull request introduces role-based access control (RBAC) for companies, along with improvements to the invitation flow and access restrictions across key areas of the platform. These changes strengthen security, clarify permissions, and ensure a smoother onboarding flow for company teams.

---

✅ Key Features Added

🔐 1. Role-Based Access Control (RBAC) for Companies

• Implemented company-level roles (Owner, Admin, Member).
• Added permission checks for sensitive resources.
• Ensured that only Owners/Admins have elevated privileges.

👥 2. Team Invite & Access Flow Enhancements

• Improved logic for inviting team members to a company.
• Added clear permission validation during invite acceptance.
• Updated messaging to guide users through restricted actions.

🛂 3. Access Restrictions for Sensitive Routes

• Restricted company profile editing to Owners/Admins only.
• Updated subscription page access based on user roles.
• Ensured views/actions are conditionally available depending on role.

---

🛠️ Code Changes

• Refactored backend checks for role-based access.
• Added helper utilities to validate company roles.
• Updated subscription, dashboard, and profile components with RBAC-aware UI.
• Improved error messages and permission error handling.
• Cleaned up redundant checks and improved maintainability.

---

🔍 Why This Matters

These updates ensure:

• Better security for company-related resources
• Clearer governance over team actions and access
• More reliable invite and onboarding experience
• Fewer accidental privilege escalations

---

🧪 Testing

• Verified role checks across dashboard, subscription, and profile pages.
• Tested invite flow from creation → acceptance → role assignment.
• Confirmed UI correctly hides or disables blocked actions.

---

🔗 Closing

This PR lays the foundation for a secure and scalable company management system, improving RBAC, invite flow, and resource protection.

---

Authored by: @akshay0611

Summary by CodeRabbit

• New Features

  • Implemented role-based access control across the dashboard with permission-aware visibility of management actions
  • Admin-only buttons (Create Event, Create Hackathon, Edit Company Profile) now appear only for authorized users
  • User role now displays in the company sidebar next to the company name

• UI/UX Improvements

  • Role-aware messaging: headers and descriptions adapt between management and view-only modes
  • Table action columns conditionally display edit/delete options based on user permissions
  • Delete confirmations include participant warnings for event management

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
codeunia	Ready	Preview	Comment	Nov 15, 2025 11:47am

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The changes introduce role-based access control (RBAC) across company dashboard pages and components. Permission flags—such as canManageEvents, canManageTeam, and canManageSubscription—are derived from userRole and conditionally gate action buttons, admin UI elements, and messaging throughout the interface. The useCompanyContext hook now exposes userRole for permission checks.

Changes

Cohort / File(s)	Summary
Events & Hackathons Management app/dashboard/company/[slug]/events/page.tsx, app/dashboard/company/[slug]/hackathons/page.tsx	Added canManageEvents derived from userRole to conditionally render Create button, Actions column, and admin actions (edit, delete with confirmation, view). Header and card descriptions now reflect management capability with role-aware messaging.
Company Settings Pages app/dashboard/company/[slug]/subscription/page.tsx, app/dashboard/company/[slug]/team/page.tsx	Added permission checks (canManageSubscription for owner/admin, canManageTeam for owner/admin) to conditionally render titles, descriptions, and feature-specific UI. Team page now defaults currentUserRole to 'viewer' instead of 'member'.
Company Dashboard Core app/dashboard/company/[slug]/page.tsx	Create Event button restricted to owner/admin/editor roles; Edit Company Profile button restricted to owner/admin roles only.
Dashboard Components components/dashboard/CompanyDashboard.tsx, components/dashboard/CompanySidebar.tsx, components/dashboard/TeamManagement.tsx	Added userRole extraction and permission-based rendering: CompanyDashboard conditionally shows action buttons, CompanySidebar prefixes company name with capitalized userRole, and TeamManagement displays role-aware descriptions.

Sequence Diagram

sequenceDiagram
    participant User as User
    participant Page as Dashboard Page
    participant Context as useCompanyContext
    participant UI as UI Elements

    User->>Page: Load company page
    Page->>Context: Extract userRole & currentCompany
    Context-->>Page: Return userRole, currentCompany
    
    alt userRole is owner/admin/editor
        Page->>UI: Render Create/Edit buttons
        Page->>UI: Show Actions column
        Page->>UI: Display admin messaging
    else userRole is member/viewer
        Page->>UI: Hide Create/Edit buttons
        Page->>UI: Hide Actions column
        Page->>UI: Display read-only messaging
    end
    
    UI-->>User: Render permission-gated UI

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pattern repetition reduces complexity: The same RBAC logic (extract userRole, derive permission flag, conditionally render) is applied consistently across multiple files, making review more predictable.
• Areas requiring attention:
  • Verify that permission checks align across events/page.tsx and hackathons/page.tsx (both use canManageEvents)
  • Ensure team/page.tsx's change from 'member' to 'viewer' as default currentUserRole doesn't unintentionally restrict existing functionality
  • Confirm subscription/page.tsx permission model (owner/admin only) matches intended access control policy
  • Check CompanySidebar.tsx userRole display doesn't introduce visual clutter or accessibility concerns with the "•" separator formatting

Possibly Related PRs

• PR #313: Directly modifies app/dashboard/company/[slug]/events/page.tsx with the same userRole-derived permission flags and conditional UI patterns.
• PR #323: Touches company events page deletion confirmation workflow and AlertDialog UI, overlapping with event management gating logic.
• PR #314: Updates event edit links to use dynamic company slug in routing, related to events/page.tsx modifications.

Poem

🐰 A rabbit hops through dashboards new,
With roles and rules to filter through—
Managers create, while viewers observe,
Each permission flag gets what they deserve,
Role-based gating, clean and bright! ✨

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/company-team-roles-and-invite-flow

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6fddaf3 and ec24f7a.

📒 Files selected for processing (8)

• app/dashboard/company/[slug]/events/page.tsx (6 hunks)
• app/dashboard/company/[slug]/hackathons/page.tsx (5 hunks)
• app/dashboard/company/[slug]/page.tsx (2 hunks)
• app/dashboard/company/[slug]/subscription/page.tsx (2 hunks)
• app/dashboard/company/[slug]/team/page.tsx (1 hunks)
• components/dashboard/CompanyDashboard.tsx (3 hunks)
• components/dashboard/CompanySidebar.tsx (3 hunks)
• components/dashboard/TeamManagement.tsx (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}