ReservaFácil implements a tiered role-based access control (RBAC) system with three distinct roles. Every user account carries exactly one role, assigned at registration and changeable only by a SUPERADMIN. Each role inherits all permissions of the role below it, forming a clear permission hierarchy that governs what each user can see, create, modify, and delete across the platform.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Nyverie/reservafacil/llms.txt
Use this file to discover all available pages before exploring further.
Role Overview
USUARIO
The default role assigned to every new account. Can browse courts, create reservations, and manage their own bookings.
ADMIN
Staff role with full reservation management and court configuration access. Cannot manage user accounts or delete courts.
SUPERADMIN
Full system access. Manages users, roles, court lifecycle, and global reports. The highest privilege level in the system.
Permissions by Role
USUARIO
The base role granted to every self-registered account.| Area | Allowed Actions |
|---|---|
| Courts | Browse all active courts, view court details |
| Reservations | Create new reservations, view their own reservations, cancel their own reservations with status PENDIENTE |
| Users | View and update their own profile |
| Reports | None |
ADMIN
Extends USUARIO with operational management capabilities.| Area | Allowed Actions |
|---|---|
| Courts | All USUARIO actions + create courts, update court details and pricing |
| Reservations | All USUARIO actions + view all reservations across all users, confirm any reservation, cancel any reservation |
| Users | View and update their own profile |
| Reports | None |
SUPERADMIN
Full system control. Inherits every ADMIN permission and adds destructive and administrative operations.| Area | Allowed Actions |
|---|---|
| Courts | All ADMIN actions + delete courts permanently |
| Reservations | All ADMIN actions + delete reservation records |
| Users | All ADMIN actions + view all user accounts, change user roles, activate/deactivate accounts, delete user accounts |
| Reports | Access global platform reports and analytics |
Route Protection
The Next.js middleware inmiddleware.ts enforces role-based access on every request to a protected path. It uses a static map (RUTAS_PROTEGIDAS) that pairs each route prefix with the list of roles allowed to access it:
matcher):
- The middleware extracts the
tokencookie from the incoming request. - It checks whether the current pathname starts with any key in
RUTAS_PROTEGIDAS. - If no matching route prefix is found, the request passes through unchanged.
- If the token is missing, the user is redirected to
/login. - If the token is present but invalid or expired, the
tokencookie is deleted and the user is redirected to/login. - If the token is valid but the user’s role is not in the allowed list for that route, the user is redirected to their own role’s dashboard (not a 403 page).
Role-Based Dashboard Redirect
When a user visits a route they are not authorised for, the middleware callsgetDashboardPorRol to determine the correct redirect destination rather than showing an error:
| Role | Post-Login Destination |
|---|---|
| USUARIO | /dashboard |
| ADMIN | /admin |
| SUPERADMIN | /superadmin |
Changing a User’s Role
Only a SUPERADMIN can change the role of another user. This is done via aPATCH request to the user management endpoint:
rol value: