{#
Unified permissions landing page — rendered at /admin/permissions in every
consumer app that has HAS_PERMISSION_ADMIN = True. Replaces the old 404 and
gives every app a visually consistent entry point into its capability matrix.
Expected context:
app_display_name : str — "Digi", "Beany", "Grind"
auth_roles_url : str — deep link to Auth role admin, e.g.
https://auth.coffeehouse.tools/admin/apps/digi/roles
dimensions : list[dict] — one card per capability dimension:
{
"name": "Permissions", # human label
"description": "...", # optional, shown under name
"dept_url": "/admin/department-permissions",
"role_url": "/admin/role-permissions",
"simulate_url": "/admin/simulate-permissions",
}
stale_roles : list[str] — optional orphan slugs (banner rendered if any)
cleanup_url : str — POST target for "Clean up" button
csrf_token : str — CSRF token for the cleanup form
#}
{% extends "base.html" %}
{% block title %}Permissions · {{ app_display_name }}{% endblock %}
{% block content %}
{% with page_title="Permissions",
page_actions='Manage roles in Auth →' %}
{% include "components/page_header.html" %}
{% endwith %}
{% set flashes = pop_flashes(request) if pop_flashes is defined else [] %}
{% if flashes %}
{% with flash_messages=flashes %}
{% include "components/flash.html" %}
{% endwith %}
{% endif %}
{% if stale_roles %}
{% with stale_role_slugs=stale_roles, cleanup_url=cleanup_url, csrf_token=csrf_token %}
{% include "components/stale_roles_banner.html" %}
{% endwith %}
{% endif %}
Capabilities this app offers, grouped by dimension.
Department baselines apply to everyone in a department; role grants/revokes layer on top.
Use Auth
to create or edit roles themselves.