From 79f0218360e713ad552d2d8138cd744efc1687ca Mon Sep 17 00:00:00 2001
From: CREDO23 <bakerathierry@gmail.com>
Date: Thu, 28 May 2026 00:30:40 +0200
Subject: [PATCH] rbac: surface automations permissions in the UI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backend already defined automations:create/read/update/delete/execute and
seeded them on Owner/Editor/Viewer roles, but the Settings → Roles UI was
missing the metadata to render them properly.

- backend: add PERMISSION_DESCRIPTIONS entries for the 5 automations perms so
  the role editor stops falling back to "Permission for automations:create".
- frontend: add automations to CATEGORY_CONFIG (Workflow icon, slotted between
  podcasts and connectors) so the role editor groups them as a real section.
- frontend: extend the three ROLE_PRESETS — Editor and Contributor get
  create/read/update/execute (mirroring backend Editor); Viewer gets read.

Prep work for the automations frontend; canPerform/usePermissionGate already
handle the runtime gating, so no new hook is needed.
---
 surfsense_backend/app/routes/rbac_routes.py      |  6 ++++++
 .../components/settings/roles-manager.tsx        | 16 ++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/surfsense_backend/app/routes/rbac_routes.py b/surfsense_backend/app/routes/rbac_routes.py
index 38ae31269..3b91e456d 100644
--- a/surfsense_backend/app/routes/rbac_routes.py
+++ b/surfsense_backend/app/routes/rbac_routes.py
@@ -107,6 +107,12 @@ PERMISSION_DESCRIPTIONS = {
     "settings:view": "View search space settings",
     "settings:update": "Modify search space settings",
     "settings:delete": "Delete the entire search space",
+    # Automations
+    "automations:create": "Create automations from chat or JSON",
+    "automations:read": "View automations, their triggers, and run history",
+    "automations:update": "Edit automations and manage their triggers",
+    "automations:delete": "Remove automations from the search space",
+    "automations:execute": "Manually fire automations",
     # Full access
     "*": "Full access to all features and settings",
 }
diff --git a/surfsense_web/components/settings/roles-manager.tsx b/surfsense_web/components/settings/roles-manager.tsx
index 88595e748..5c034470d 100644
--- a/surfsense_web/components/settings/roles-manager.tsx
+++ b/surfsense_web/components/settings/roles-manager.tsx
@@ -23,6 +23,7 @@ import {
 	Unplug,
 	Users,
 	Video,
+	Workflow,
 } from "lucide-react";
 import { useCallback, useEffect, useMemo, useState } from "react";
 import { toast } from "sonner";
@@ -126,6 +127,12 @@ const CATEGORY_CONFIG: Record<
 		description: "Generate AI podcasts from content",
 		order: 5,
 	},
+	automations: {
+		label: "Automations",
+		icon: Workflow,
+		description: "Scheduled and event-driven agent tasks",
+		order: 5.5,
+	},
 	connectors: {
 		label: "Connectors",
 		icon: Unplug,
@@ -200,6 +207,10 @@ const ROLE_PRESETS = {
 			"podcasts:create",
 			"podcasts:read",
 			"podcasts:update",
+			"automations:create",
+			"automations:read",
+			"automations:update",
+			"automations:execute",
 			"connectors:create",
 			"connectors:read",
 			"connectors:update",
@@ -220,6 +231,7 @@ const ROLE_PRESETS = {
 			"comments:read",
 			"llm_configs:read",
 			"podcasts:read",
+			"automations:read",
 			"connectors:read",
 			"logs:read",
 			"members:view",
@@ -240,6 +252,10 @@ const ROLE_PRESETS = {
 			"comments:read",
 			"llm_configs:read",
 			"podcasts:read",
+			"automations:create",
+			"automations:read",
+			"automations:update",
+			"automations:execute",
 			"connectors:read",
 			"logs:read",
 			"members:view",