refactor(rbac): Remove user create/delete permissions from admin role

fulleni · fulleni · commit f2849cae4d09 · 2025-11-01T07:06:23.000+01:00
Removed `Permissions.userCreate` and `Permissions.userDelete` from the `_dashboardAdminPermissions` set. This change enforces the rule that administrators can only update users through the generic data API, while creation and deletion are handled exclusively by the authentication service.
diff --git a/lib/src/rbac/role_permissions.dart b/lib/src/rbac/role_permissions.dart
@@ -68,11 +68,12 @@ final Set<String> _dashboardAdminPermissions = {
   Permissions.languageCreate,
   Permissions.languageUpdate,
   Permissions.languageDelete,
-  Permissions.userRead, // Allows reading any user's profile.
-  // Allow full user account management for admins.
-  Permissions.userCreate,
+  // Allows reading any user's profile.
+  Permissions.userRead,
+  // Allows updating any user's profile (e.g., changing their roles).
+  // User creation and deletion are handled by the auth service, not the
+  // generic data API.
   Permissions.userUpdate,
-  Permissions.userDelete,
   Permissions.remoteConfigCreate,
   Permissions.remoteConfigUpdate,
   Permissions.remoteConfigDelete,
