Global Capabilities#
23 capabilities across two roles.| Capability | USER | ADMIN |
|---|
room:create | Yes | Yes |
room:join | Yes | Yes |
room:list | Yes | Yes |
room:delete-own | Yes | Yes |
room:delete-any | No | Yes |
room:join-any | No | Yes |
room:force-close | No | Yes |
problem:view | Yes | Yes |
problem:create | No | Yes |
problem:edit | No | Yes |
problem:delete | No | Yes |
user:view-profile | Yes | Yes |
user:edit-self | Yes | Yes |
user:list | No | Yes |
user:manage | No | Yes |
user:ban | No | Yes |
session:view-own | Yes | Yes |
session:view-any | No | Yes |
report:view-own | Yes | Yes |
report:view-any | No | Yes |
report:export | No | Yes |
platform:view-analytics | No | Yes |
platform:manage-settings | No | Yes |
Room Capabilities#
Room capabilities come from participant role plus host ownership overrides.| Capability | INTERVIEWER | CANDIDATE | OBSERVER |
|---|
code:view | Yes | Yes | Yes |
code:edit | Yes | Yes | No |
code:run | Yes | Yes | No |
code:submit | Yes | Yes | No |
whiteboard:view | Yes | Yes | Yes |
whiteboard:draw | Yes | Yes | No |
media:audio | Yes | Yes | No |
media:video | Yes | Yes | No |
media:screenshare | Yes | Yes | No |
chat:send | Yes | Yes | Yes |
room:change-phase | Yes | No | No |
room:select-problem | No | No | No |
recording:toggle | No | No | No |
recording:replay | Yes | Yes | Yes |
ai:request-hint | Yes | Yes | No |
ai:request-review | Yes | No | No |
Host ownership adds these overrides regardless of participant role:Dynamic authorization rules:Room ownership is stored on rooms.hostId, not in the participant role enum.
Peer rooms allow exactly one active interviewer and one active candidate; all other active participants are observers.
AI rooms allow one active human candidate and any number of observers.
Stage transitions are allowed for the host or the current interviewer.
Participant reassignment and ownership transfer are host-only.
JWT Access Token Claims#
{
"sub": "userId",
"email": "user@example.com",
"username": "johndoe",
"role": "user",
"capabilities": ["room:create", "room:join", "room:list", "..."],
"iat": 1709467200,
"exp": 1709468100
}
capabilities array contains resolved global capabilities. The frontend uses this array for all permission checks and never reads role directly.Room-scoped capabilities are returned in room responses (myCapabilities), not in the JWT.Modified at 2026-04-09 21:41:14
