feat: implement RBAC

[vikaxsh]

Description

This PR introduces an initial implementation of Role-Based Access Control (RBAC) at the project level.

Currently, the system supports two basic roles:

• reader → read-only access (GET APIs)
• writer → read + write access (GET + POST/modify APIs)

The first signed-up user is automatically assigned as admin, who can:

• view users
• assign roles to project members

This is a foundational implementation and will be extended later to support more granular/custom roles and permissions.

Fixes #

---

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

---

How Has This Been Tested?

The RBAC flow was tested end-to-end using API calls:

Scenario A: Role Assignment by Admin

1. Admin user signs up (auto-assigned admin role)

2. Additional users are created via signup

3. Admin logs in and fetches all users

4. Admin assigns:

   • reader role to user A
   • writer role to user B

Scenario B: Reader Access

• Reader can:

  • GET project resources (✓)

• Reader cannot:

  • POST/create resources (403 ✗)
  • assign roles (403 ✗)

Scenario C: Writer Access

• Writer can:

  • GET project resources (✓)
  • POST/create resources (✓)

---

Example API Test Flow

# Step 1: Admin signs up (auto admin)
curl -c admin_cookies.txt -X POST http://localhost:8000/signup \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","email":"admin@olake.io","password":"Admin@123"}'

# Step 2–3: Create users
curl -X POST http://localhost:8000/signup \
  -H "Content-Type: application/json" \
  -d '{"username":"vikash","email":"vikash@olake.io","password":"Vikash@123"}'

curl -X POST http://localhost:8000/signup \
  -H "Content-Type: application/json" \
  -d '{"username":"rahul","email":"rahul@olake.io","password":"Rahul@123"}'

# Step 4: Admin login
curl -c admin_cookies.txt -X POST http://localhost:8000/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"Admin@123"}'

# Step 5: Fetch users
curl -b admin_cookies.txt http://localhost:8000/api/v1/users

# Step 6–7: Assign roles
curl -b admin_cookies.txt -X POST http://localhost:8000/api/v1/project/1/members \
  -H "Content-Type: application/json" \
  -d '{"user_id": 2, "role": "reader"}'

curl -b admin_cookies.txt -X POST http://localhost:8000/api/v1/project/1/members \
  -H "Content-Type: application/json" \
  -d '{"user_id": 3, "role": "writer"}'

# Step 8–11: Reader validation
curl -c vikash_cookies.txt -X POST http://localhost:8000/login \
  -H "Content-Type: application/json" \
  -d '{"username":"vikash","password":"Vikash@123"}'

curl -b vikash_cookies.txt http://localhost:8000/api/v1/project/1/sources

curl -b vikash_cookies.txt -X POST http://localhost:8000/api/v1/project/1/sources \
  -H "Content-Type: application/json" \
  -d '{"name":"test","type":"postgres","version":"v0.2.7","config":"{}"}'

# Step 12–13: Writer validation
curl -c rahul_cookies.txt -X POST http://localhost:8000/login \
  -H "Content-Type: application/json" \
  -d '{"username":"rahul","password":"Rahul@123"}'

curl -b rahul_cookies.txt -X POST http://localhost:8000/api/v1/project/1/sources \
  -H "Content-Type: application/json" \
  -d '{"name":"test-source","type":"postgres","version":"v0.2.7","config":"{\"host\":\"localhost\"}"}'

---

Screenshots or Recordings

N/A (tested via API calls)

---

Related PR's (If Any):

N/A