Skip to main content

Overview

PassTru implements a comprehensive role-based access control system that ensures the right people have the right level of access to your events and attendee data.

User Roles

PassTru supports four distinct roles, each with specific permissions and access levels:

Super Admin

Platform owner with full system access, client management, and pricing control.

Client

Organization owner who creates events, manages attendees, and controls event managers.

Event Manager

Assigned staff with limited access to specific events for check-in operations.

Attendee

End users with access to their personal portal and check-in functionality.

Role Implementation

Authentication & Authorization

PassTru uses a custom role guard system to protect routes and features:
src/components/RoleGuard.tsx
interface RoleGuardProps {
  children: ReactNode;
  allowedRoles: AppRole[];
  fallback?: string;
}

export function RoleGuard({ children, allowedRoles, fallback }: RoleGuardProps) {
  const { user, role, loading } = useAuth();
  
  if (!user) return <Navigate to="/sign-in" replace />;
  if (!role || !allowedRoles.includes(role)) {
    return <Navigate to={fallback} replace />;
  }
  
  return <>{children}</>;
}

Role Data Fetching

User roles and organization memberships are fetched in parallel for optimal performance:
src/hooks/useAuth.tsx
const [roleRes, profileRes, orgRes] = await Promise.all([
  supabase.from("user_roles").select("role").eq("user_id", userId),
  supabase.from("profiles").select("full_name, avatar_url"),
  supabase.from("organizations").select("id, slug, name, logo_url")
]);

Client Role Features

  • Create unlimited events (with tokens)
  • Configure event details and attendee fields
  • Suspend or delete events
  • Access full event portal

Event Manager Role

Event Managers have restricted access designed for operational staff:

What Event Managers Can Do

  • Access only assigned events
  • View check-in management interface
  • Search and manually check in attendees
  • Send individual confirmation emails
  • Toggle check-in page activation

What Event Managers Cannot Do

Event Managers cannot:
  • View or edit attendee lists
  • Access event branding settings
  • Modify event details
  • Create or delete events
  • Access organization settings

Creating Event Managers

Clients create Event Manager accounts through the Team Management interface:
src/pages/client/EventManagerList.tsx
const { data } = await supabase.functions.invoke("create-event-manager", {
  body: {
    full_name: newName,
    email: newEmail,
    organization_id: organizationId,
    event_ids: selectedEvents,
  },
});
Event Managers receive an automated login email upon account creation.

Organization Context

The authentication system maintains organization context throughout the user session: 
type AuthContextType = {
  session: Session | null;
  user: User | null;
  role: AppRole | null;
  organizationId: string | null;
  organizationSlug: string | null;
  organizationName: string | null;
  organizationLogoUrl: string | null;
  profile: { full_name: string; avatar_url: string | null } | null;
};
This context ensures:
  • Data isolation between organizations
  • Correct branding display
  • Proper event routing
  • Secure data access
The interface adapts based on user role:
  • Full sidebar with all sections
  • Event Portal shows all tabs (Dashboard, Attendees, Check-In, Branding)
  • Access to organization settings
  • Token purchase options

Security Best Practices

Row-Level Security: All database operations respect organization and role boundaries through Supabase RLS policies.
The role system implements several security layers:
  1. Frontend Guards: Prevent unauthorized route access
  2. Backend Validation: Edge functions verify permissions
  3. Database Policies: RLS enforces data isolation
  4. Session Management: Secure token-based authentication

Role Assignment

  • Super Admin: Manually assigned in database
  • Client: Automatically assigned upon organization creation
  • Event Manager: Created by Client via admin interface
  • Attendee: Public role, no authentication required for portal access

Build docs developers (and LLMs) love

Get started for freeTalk to us