VVibeFlui

Action Permissions

Action permissions hide actions the current user cannot run.

VibeFlui permission checks are UI behavior only. The backend must still enforce authorization.

Action permission

TS
export const usersSchema = {
  resource: "users",
  actions: {
    delete: {
      enabled: true,
      label: "Delete",
      icon: "lucide:trash-2",
      variant: "danger",
      handler: "users.delete",
      permission: "users.canDelete",
      confirm: true
    }
  },
  registry: {
    permissionResolvers: ["users.canDelete"],
    actionHandlers: ["users.delete"]
  }
} as const;

Schema permission

TS
export const usersSchema = {
  resource: "users",
  permissions: {
    delete: "users.canDelete",
    approve: "users.canApprove"
  },
  actions: {
    row: [
      {
        key: "approve",
        label: "Approve",
        handler: "users.approve"
      }
    ]
  }
} as const;

Runtime registry

TS
import { createRegistry } from "@vibeflui/core";

export const registry = createRegistry({
  permissionResolvers: {
    "users.canDelete": ({ row, permissionContext }) => {
      const canDelete = permissionContext?.permissions?.includes("users:delete");
      return Boolean(canDelete && row?.role !== "owner");
    },
    "users.canApprove": ({ row }) => {
      return row?.status === "pending";
    }
  }
});

Permission context

TSX
<FluiKitProvider
  registry={registry}
  permissionContext={{
    roles: ["admin"],
    permissions: ["users:delete", "users:approve"],
    user: { id: "user_1" }
  }}
>
  <FluiKit schema={usersSchema} />
</FluiKitProvider>

Grant arrays

If no resolver exists, a permission array checks permissionContext.roles and permissionContext.permissions.

TS
{
  key: "export",
  label: "Export",
  permission: ["admin", "users:export"]
}