Permission Model

Global Capabilities

23 capabilities across two roles.

Capability	USER	ADMIN
`room:create`	Yes	Yes
`room:join`	Yes	Yes
`room:list`	Yes	Yes
`room:delete-own`	Yes	Yes
`room:delete-any`	No	Yes
`room:join-any`	No	Yes
`room:force-close`	No	Yes
`problem:view`	Yes	Yes
`problem:create`	No	Yes
`problem:edit`	No	Yes
`problem:delete`	No	Yes
`user:view-profile`	Yes	Yes
`user:edit-self`	Yes	Yes
`user:list`	No	Yes
`user:manage`	No	Yes
`user:ban`	No	Yes
`session:view-own`	Yes	Yes
`session:view-any`	No	Yes
`report:view-own`	Yes	Yes
`report:view-any`	No	Yes
`report:export`	No	Yes
`platform:view-analytics`	No	Yes
`platform:manage-settings`	No	Yes

Room Capabilities

20 capabilities across four room roles.

Capability	HOST	INTERVIEWER	CANDIDATE	SPECTATOR
`code:view`	Yes	Yes	Yes	Yes
`code:edit`	Yes	Yes	Yes	No
`code:run`	Yes	Yes	Yes	No
`code:submit`	Yes	Yes	Yes	No
`whiteboard:view`	Yes	Yes	Yes	Yes
`whiteboard:draw`	Yes	Yes	Yes	No
`media:audio`	Yes	Yes	Yes	No
`media:video`	Yes	Yes	Yes	No
`media:screenshare`	Yes	Yes	Yes	No
`chat:send`	Yes	Yes	Yes	Yes
`room:change-phase`	Yes	Yes	No	No
`room:select-problem`	Yes	Yes	No	No
`room:settings`	Yes	No	No	No
`participant:invite`	Yes	No	No	No
`participant:kick`	Yes	No	No	No
`participant:assign-role`	Yes	No	No	No
`recording:toggle`	Yes	Yes	No	No
`recording:replay`	Yes	Yes	Yes	Yes
`ai:request-hint`	Yes	Yes	Yes	No
`ai:request-review`	Yes	Yes	No	No

JWT Access Token Claims

{
  "sub": "userId",
  "email": "user@example.com",
  "username": "johndoe",
  "role": "user",
  "capabilities": ["room:create", "room:join", "room:list", "..."],
  "iat": 1709467200,
  "exp": 1709468100
}

The capabilities array contains resolved global capabilities. The frontend uses this array for all permission checks and never reads role directly.

Room-scoped capabilities are returned in room responses (myCapabilities), not in the JWT.

Permission Model

Global Capabilities#

Room Capabilities#

JWT Access Token Claims#

Global Capabilities

Room Capabilities

JWT Access Token Claims