Roles & Permissions
WPHammer uses a hierarchical role system to control what team members can do. Each member is assigned exactly one role per team, and roles determine access to team settings, server management, site operations, and member administration.
Role hierarchy
The TeamRole enum defines five roles, ordered from most to least privileged:
| Role | Level | Description |
|---|---|---|
| Owner | 4 | Full control over the team, including ownership transfer and deletion |
| Admin | 3 | Manages team settings, members, and all resources |
| Manager | 2 | Manages servers and sites but cannot modify team settings or members |
| Developer | 1 | Can manage sites and perform site-level operations |
| Viewer | 0 | Read-only access to team resources |
The isAtLeast(TeamRole $role) method compares privilege levels, making it straightforward to check minimum role requirements.
Permission matrix
Each role grants a specific set of capabilities:
| Permission | Owner | Admin | Manager | Developer | Viewer |
|---|---|---|---|---|---|
| View team resources | Yes | Yes | Yes | Yes | Yes |
| Manage sites | Yes | Yes | Yes | Yes | No |
| Manage servers | Yes | Yes | Yes | No | No |
| Manage team settings | Yes | Yes | No | No | No |
| Manage members | Yes | Yes | No | No | No |
| Transfer ownership | Yes | No | No | No | No |
These permissions are implemented as methods on the TeamRole enum:
canManageTeam()— Owner, AdmincanManageServers()— Owner, Admin, ManagercanManageSites()— Owner, Admin, Manager, DevelopercanManageMembers()— Owner, Admin
Role assignment
When inviting a new member, only certain roles can be assigned:
- Owner can assign: Admin, Manager, Developer, Viewer
- Admin can assign: Manager, Developer, Viewer
- Manager, Developer, Viewer cannot invite or assign roles
The Owner role cannot be assigned via invitation — it can only be transferred using the dedicated ownership transfer action.
Team policy
The TeamPolicy enforces authorization at the controller level:
| Policy method | Requirement |
|---|---|
view |
User has any role in the team |
update |
User can manage team (Owner/Admin) |
manageForgeKey |
User can manage team |
manageMembers |
User can manage members (Owner/Admin) |
manageAiConfig |
User can manage team |
manageStorageProviders |
User can manage team |
transferOwnership |
User is the current Owner |
Server scoping
Beyond roles, members can be scoped to specific servers. A scoped member only sees and can act on sites belonging to their assigned servers, regardless of their role's general permissions. This is useful for limiting contractor or developer access to specific infrastructure.
The canAccessServer() and canAccessSite() methods on the User model combine role permissions with scoping restrictions to determine actual access.
Related
- Members & Invitations — managing team membership
- Forge API Configuration — team-level API settings
- AI Configuration — AI provider access control