Maleku System uses a Role-Based Access Control (RBAC) model to govern every action a user can perform on the platform. All users are assigned exactly one role — stored in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/IvanchoDev89/maleku-system/llms.txt
Use this file to discover all available pages before exploring further.
role column of the users table — chosen from six values defined in the UserRole enum: client, vendor, agent, customer_service, admin, and super_admin. Roles are not strictly hierarchical: agent and customer_service are lateral operational roles with narrowly scoped permissions, while super_admin has unconditional access to all resources. Permission checks are enforced via FastAPI dependency injection at the endpoint level using the require_role(), require_permission(), and require_verified_email() guards defined in app/core/security.py.
Roles
client
The default role assigned to every newly registered user. Clients can browse listings, search destinations, create bookings, cancel their own bookings, read blog and destination content, and leave reviews on completed stays or tours.
vendor
Vendors can create and manage their own listings (properties, tours, vehicles, boats, transportation), view their personal analytics dashboard, and receive payouts via Stripe Connect. They also inherit client-level read permissions for listings and content.
agent
A lateral operational role for travel agents. Agents can create, read, update, and cancel bookings on behalf of clients, and read properties, tours, and chat threads. Agents do not have vendor or admin capabilities.
customer_service
A narrow support role that can read and update bookings, cancel bookings, and participate in chat. Customer service staff have no access to listings, analytics, or administrative functions.
admin
Admins handle platform-wide operations: approving vendor accounts, moderating content (blog posts, destinations), viewing audit logs, exporting booking reports, and managing bookings across all vendors. Admins can read user records but cannot change roles or delete accounts.
super_admin
Super Admins have unconditional access to every endpoint on the platform. In addition to all admin capabilities, they can change user roles, permanently delete accounts, impersonate other users, access system settings, run compliance checks on vendors, and export any data set.
Vendors must be verified by a Super Admin before their listings appear publicly on the platform. The
is_verified flag on the Vendor model controls this gate. Until verification, listings are visible in the vendor’s own dashboard but are excluded from public search and listing pages.Permission Matrix
The table below summarises what each role can do across the main resource categories. Permission combinations are defined inDEFAULT_ROLE_PERMISSIONS inside app/core/security.py and can be customised per-role by a Super Admin via the role_permissions database table.
| Resource | client | vendor | agent | customer_service | admin | super_admin |
|---|---|---|---|---|---|---|
| Properties | Read | Create, Read, Update, Delete | Read | — | Read, Create, Update, Feature | Full + Delete |
| Tours | Read | Create, Read, Update, Delete | Read | — | Read, Create, Update | Full + Delete |
| Bookings | Create, Read, Cancel | Read, Update | Create, Read, Update, Cancel | Read, Update, Cancel | Read, Create, Update, Cancel, Export | Full + Refund |
| Content (CMS) | Read | Read, Create, Update | — | — | Full CRUD + publish | Full CRUD + publish + SEO |
| Chat | Read, Create | Read, Create | Read, Create | Read, Create | Read, Create | Full |
| User Management | — | — | — | — | Read | Create, Read, Update, Delete, Impersonate, Block, Export |
| Vendors | — | — | — | — | Read, Approve | Full + Suspend, Export |
| Analytics | — | — | — | — | Read, Reports | Read, Export, Reports |
| Audit Logs | — | — | — | — | Read (system.logs) | Full access + export |
| System Settings | — | — | — | — | — | Settings, Maintenance, Backup, Logs, Permissions |
Authentication Guards
All permission logic is enforced through three FastAPI dependency functions inapp/core/security.py:
require_role(*roles)
Checks that current_user.role is one of the provided roles. If not, a 403 Forbidden is raised with a detail message listing the required roles. Used directly on endpoints that need a hard role boundary:
require_superadmin()
A convenience wrapper around require_role(UserRole.SUPER_ADMIN). Used across all /api/v1/superadmin/ routes for consistent enforcement:
require_permission(module, action)
A finer-grained guard that checks whether the user’s role is allowed to perform action on module. It first queries the role_permissions table in the database — allowing a Super Admin to customise permissions at runtime — and falls back to DEFAULT_ROLE_PERMISSIONS if no database row exists. SUPER_ADMIN bypasses the check entirely:
require_verified_email()
Wraps get_current_active_user and additionally checks current_user.is_verified. Any request from an unverified user is rejected with 403 Forbidden and the message “Email verification required. Please verify your email before proceeding.” This guard is applied to all booking-creation endpoints.
JWT Token Lifecycle
Maleku System issues two tokens on every successful login, both signed with HS256 usingsettings.SECRET_KEY.
| Token Type | Payload type field | Default Expiry | Config Key |
|---|---|---|---|
| Access Token | access | 60 minutes | ACCESS_TOKEN_EXPIRE_MINUTES |
| Refresh Token | refresh | 7 days | REFRESH_TOKEN_EXPIRE_DAYS |
| Verification Token | verification | 24 hours | Hardcoded in create_verification_token() |
| Password Reset Token | password_reset | 1 hour | Hardcoded in create_password_reset_token() |
token_blacklist. Every incoming request goes through get_current_user(), which calls token_blacklist.is_blacklisted(token) before decoding. Additionally, token_blacklist.is_user_tokens_blacklisted() checks against the token’s iat claim to invalidate all tokens issued before the last password change.
Email Verification
Every new user account starts withis_verified = False. A time-limited verification token (24-hour expiry) is sent to the user’s email address via create_verification_token(). Until the user clicks the verification link:
- They can log in and browse public content.
- They cannot create bookings — the
require_verified_email()dependency blocks the attempt withHTTP 403.
is_verified flag lives on the User model:
is_verified to True via the PUT /api/v1/superadmin/users/{user_id} endpoint. Users created directly by a Super Admin are pre-verified (is_verified=True) and skip the email flow.