feat: RBAC permission system (admin/developer/user)

Backend:
- ProjectMember model for per-project user binding (owner/maintainer/viewer)
- ProjectMemberHandler with CRUD endpoints
- RoleRequired() middleware for flexible role checking
- User role validation expanded to admin/developer/user
- Project member routes registered in admin group

Frontend:
- permissions.ts: 3 roles + hasWriteAccess helper
- usePermission hook: isDeveloper flag, canWrite for developer+admin
- authStore: isDeveloper state
- Users.tsx: role dropdown with 3 options, color-coded tags
- i18n: developer role translations (en + zh)

Author: huangang

backend/cmd/server/routes.go

@@ -112,6 +112,13 @@ func registerRoutes(r *gin.Engine, svc *appServices) {
 			admin.PUT("/projects/:id", projectHandler.Update)
 			admin.DELETE("/projects/:id", projectHandler.Delete)
 
+			// Project Members
+			projectMemberHandler := handlers.NewProjectMemberHandler(models.GetDB())
+			admin.GET("/projects/:id/members", projectMemberHandler.List)
+			admin.POST("/projects/:id/members", projectMemberHandler.Add)
+			admin.PUT("/projects/:id/members/:memberID", projectMemberHandler.Update)
+			admin.DELETE("/projects/:id/members/:memberID", projectMemberHandler.Remove)
+
 			// Review Logs (write operations)
 			reviewLogHandler := handlers.NewReviewLogHandler(models.GetDB(), svc.openAICfg)
 			admin.POST("/review-logs/:id/retry", reviewLogHandler.Retry)

backend/internal/handlers/project_member.go

@@ -0,0 +1,161 @@
+package handlers
+
+import (
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+	"github.com/huangang/codesentry/backend/internal/models"
+	"github.com/huangang/codesentry/backend/pkg/response"
+	"gorm.io/gorm"
+)
+
+// ProjectMemberHandler provides CRUD endpoints for project members.
+type ProjectMemberHandler struct {
+	db *gorm.DB
+}
+
+func NewProjectMemberHandler(db *gorm.DB) *ProjectMemberHandler {
+	return &ProjectMemberHandler{db: db}
+}
+
+type AddMemberRequest struct {
+	UserID uint   `json:"user_id" binding:"required"`
+	Role   string `json:"role" binding:"required"` // owner, maintainer, viewer
+}
+
+type UpdateMemberRequest struct {
+	Role string `json:"role" binding:"required"`
+}
+
+// List returns all members of a project.
+func (h *ProjectMemberHandler) List(c *gin.Context) {
+	projectID, err := strconv.ParseUint(c.Param("id"), 10, 32)
+	if err != nil {
+		response.BadRequest(c, "invalid project id")
+		return
+	}
+
+	var members []models.ProjectMember
+	if err := h.db.Where("project_id = ?", projectID).
+		Preload("User").
+		Find(&members).Error; err != nil {
+		response.ServerError(c, err.Error())
+		return
+	}
+
+	response.Success(c, members)
+}
+
+// Add adds a user to a project with the specified role.
+func (h *ProjectMemberHandler) Add(c *gin.Context) {
+	projectID, err := strconv.ParseUint(c.Param("id"), 10, 32)
+	if err != nil {
+		response.BadRequest(c, "invalid project id")
+		return
+	}
+
+	var req AddMemberRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, err.Error())
+		return
+	}
+
+	// Validate role
+	if req.Role != "owner" && req.Role != "maintainer" && req.Role != "viewer" {
+		response.BadRequest(c, "invalid role, must be 'owner', 'maintainer', or 'viewer'")
+		return
+	}
+
+	// Check project exists
+	var project models.Project
+	if err := h.db.First(&project, projectID).Error; err != nil {
+		response.NotFound(c, "project not found")
+		return
+	}
+
+	// Check user exists
+	var user models.User
+	if err := h.db.First(&user, req.UserID).Error; err != nil {
+		response.NotFound(c, "user not found")
+		return
+	}
+
+	// Check if member already exists
+	var existing models.ProjectMember
+	if err := h.db.Where("project_id = ? AND user_id = ?", projectID, req.UserID).First(&existing).Error; err == nil {
+		response.BadRequest(c, "user is already a member of this project")
+		return
+	}
+
+	member := models.ProjectMember{
+		ProjectID: uint(projectID),
+		UserID:    req.UserID,
+		Role:      req.Role,
+	}
+
+	if err := h.db.Create(&member).Error; err != nil {
+		response.ServerError(c, err.Error())
+		return
+	}
+
+	// Reload with user info
+	h.db.Preload("User").First(&member, member.ID)
+	response.Success(c, member)
+}
+
+// Update updates a member's role.
+func (h *ProjectMemberHandler) Update(c *gin.Context) {
+	memberID, err := strconv.ParseUint(c.Param("memberID"), 10, 32)
+	if err != nil {
+		response.BadRequest(c, "invalid member id")
+		return
+	}
+
+	var req UpdateMemberRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, err.Error())
+		return
+	}
+
+	if req.Role != "owner" && req.Role != "maintainer" && req.Role != "viewer" {
+		response.BadRequest(c, "invalid role, must be 'owner', 'maintainer', or 'viewer'")
+		return
+	}
+
+	var member models.ProjectMember
+	if err := h.db.First(&member, memberID).Error; err != nil {
+		response.NotFound(c, "member not found")
+		return
+	}
+
+	member.Role = req.Role
+	if err := h.db.Save(&member).Error; err != nil {
+		response.ServerError(c, err.Error())
+		return
+	}
+
+	h.db.Preload("User").First(&member, member.ID)
+	response.Success(c, member)
+}
+
+// Remove removes a member from a project.
+func (h *ProjectMemberHandler) Remove(c *gin.Context) {
+	memberID, err := strconv.ParseUint(c.Param("memberID"), 10, 32)
+	if err != nil {
+		response.BadRequest(c, "invalid member id")
+		return
+	}
+
+	var member models.ProjectMember
+	if err := h.db.First(&member, memberID).Error; err != nil {
+		response.NotFound(c, "member not found")
+		return
+	}
+
+	if err := h.db.Delete(&member).Error; err != nil {
+		response.ServerError(c, err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{"message": "member removed"})
+}

backend/internal/handlers/user.go

@@ -91,8 +91,8 @@ func (h *UserHandler) Update(c *gin.Context) {
 
 	updates := make(map[string]interface{})
 	if req.Role != nil {
-		if *req.Role != "admin" && *req.Role != "user" {
-			response.BadRequest(c, "invalid role, must be 'admin' or 'user'")
+		if *req.Role != "admin" && *req.Role != "developer" && *req.Role != "user" {
+			response.BadRequest(c, "invalid role, must be 'admin', 'developer', or 'user'")
 			return
 		}
 		updates["role"] = *req.Role

backend/internal/middleware/auth.go

@@ -62,6 +62,29 @@ func AdminRequired() gin.HandlerFunc {
 	}
 }
 
+// RoleRequired is a middleware that checks if the user has one of the allowed roles.
+func RoleRequired(allowedRoles ...string) gin.HandlerFunc {
+	roleSet := make(map[string]bool, len(allowedRoles))
+	for _, r := range allowedRoles {
+		roleSet[r] = true
+	}
+	return func(c *gin.Context) {
+		role, exists := c.Get(ContextRole)
+		if !exists {
+			response.Forbidden(c, "access denied")
+			c.Abort()
+			return
+		}
+		roleStr, ok := role.(string)
+		if !ok || !roleSet[roleStr] {
+			response.Forbidden(c, "insufficient permissions")
+			c.Abort()
+			return
+		}
+		c.Next()
+	}
+}
+
 // GetUserID gets the current user ID from context
 func GetUserID(c *gin.Context) uint {
 	if id, exists := c.Get(ContextUserID); exists {

backend/internal/models/database.go

@@ -57,6 +57,7 @@ func AutoMigrate() error {
 		&ReviewTemplate{},
 		&ReviewFeedback{},
 		&AIUsageLog{},
+		&ProjectMember{},
 	)
 }
 

backend/internal/models/project_member.go

@@ -0,0 +1,22 @@
+package models
+
+import (
+	"time"
+
+	"gorm.io/gorm"
+)
+
+// ProjectMember represents a user's membership and role within a project.
+type ProjectMember struct {
+	ID        uint           `gorm:"primaryKey" json:"id"`
+	ProjectID uint           `gorm:"uniqueIndex:idx_project_user;not null" json:"project_id"`
+	Project   *Project       `gorm:"foreignKey:ProjectID" json:"project,omitempty"`
+	UserID    uint           `gorm:"uniqueIndex:idx_project_user;not null" json:"user_id"`
+	User      *User          `gorm:"foreignKey:UserID" json:"user,omitempty"`
+	Role      string         `gorm:"size:50;default:viewer" json:"role"` // owner, maintainer, viewer
+	CreatedAt time.Time      `json:"created_at"`
+	UpdatedAt time.Time      `json:"updated_at"`
+	DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
+}
+
+func (ProjectMember) TableName() string { return "project_members" }

backend/internal/models/user.go

@@ -14,7 +14,7 @@ type User struct {
 	Email     string         `gorm:"size:255" json:"email"`
 	Nickname  string         `gorm:"size:100" json:"nickname"`
 	Avatar    string         `gorm:"size:500" json:"avatar"`
-	Role      string         `gorm:"size:50;default:user" json:"role"`       // admin, user
+	Role      string         `gorm:"size:50;default:user" json:"role"`       // admin, developer, user
 	AuthType  string         `gorm:"size:20;default:local" json:"auth_type"` // local, ldap
 	IsActive  bool           `gorm:"default:true" json:"is_active"`
 	LastLogin *time.Time     `json:"last_login"`

frontend/src/constants/permissions.ts

@@ -1,5 +1,6 @@
 export const ROLES = {
   ADMIN: 'admin',
+  DEVELOPER: 'developer',
   USER: 'user',
 } as const;
 
@@ -18,3 +19,8 @@ export const ADMIN_ONLY_ROUTES = [
 export const isAdminOnlyRoute = (path: string): boolean => {
   return ADMIN_ONLY_ROUTES.some(route => path.startsWith(route));
 };
+
+// Check if a role has write access (admin or developer)
+export const hasWriteAccess = (role: string): boolean => {
+  return role === ROLES.ADMIN || role === ROLES.DEVELOPER;
+};

frontend/src/hooks/usePermission.ts

@@ -1,9 +1,10 @@
 import { useMemo } from 'react';
 import { useAuthStore } from '../stores/authStore';
-import { ROLES, ADMIN_ONLY_ROUTES } from '../constants';
+import { ROLES, ADMIN_ONLY_ROUTES, hasWriteAccess } from '../constants';
 
 export interface UsePermissionReturn {
   isAdmin: boolean;
+  isDeveloper: boolean;
   canAccess: (route: string) => boolean;
   canWrite: boolean;
 }
@@ -12,6 +13,7 @@ export function usePermission(): UsePermissionReturn {
   const user = useAuthStore((state) => state.user);
 
   const isAdmin = useMemo(() => user?.role === ROLES.ADMIN, [user?.role]);
+  const isDeveloper = useMemo(() => user?.role === ROLES.DEVELOPER, [user?.role]);
 
   const canAccess = useMemo(() => {
     return (route: string): boolean => {
@@ -20,7 +22,7 @@ export function usePermission(): UsePermissionReturn {
     };
   }, [isAdmin]);
 
-  const canWrite = isAdmin;
+  const canWrite = useMemo(() => hasWriteAccess(user?.role || ''), [user?.role]);
 
-  return { isAdmin, canAccess, canWrite };
+  return { isAdmin, isDeveloper, canAccess, canWrite };
 }

frontend/src/i18n/locales/en.json

@@ -485,6 +485,8 @@
     "isActive": "Active",
     "lastLogin": "Last Login",
     "admin": "Admin",
+    "developer": "Developer",
+    "viewer": "Viewer",
     "user": "User",
     "local": "Local",
     "ldap": "LDAP",