Google Drive RBAC

Two RBAC layers: Wevion in-app (getVisibleSessionIds(db, callerId, callerRole) — super_admin/admin see all, owner sees self+team, others see own) + Drive permissions API (external folder sharing, writer).

Written By Salvatore Sinigaglia

Last updated About 4 hours ago

Two RBAC layers: Wevion in-app (getVisibleSessionIds(db, callerId, callerRole) — super_admin/admin see all, owner sees self+team, others see own) + Drive permissions API (external folder sharing, writer).

Google Drive RBAC

Wevion enforces two layers of RBAC for Creative Hub files: 1) Wevion in-app visibility via creative-hub.helpers.ts getVisibleSessionIds(db, callerId, callerRole) (super_admin / admin see all users; owner sees self + their team; every other role sees only their own), and 2) Google Drive permissions for external sharing via the Drive permissions API (role='writer', type='user', folder-level). Both layers are active simultaneously and serve different purposes.

Who is this for

Admins designing team folder structures. Owners auditing who has access to what. Anyone confused about why a teammate can see a file in Wevion but not open it in Drive (or vice versa).

The two layers

Layer 1: Wevion in-app RBAC

Implemented in apps/backend/src/services/creative-hub/creative-hub.helpers.ts:

  • getVisibleSessionIds(db, callerId, callerRole) — returns the list of session IDs whose Creative Hub the current user can access
  • Listing endpoints filter by these visible session IDs
RoleVisibility within Wevion
super_adminAll users' folders + files
adminAll users' folders + files
ownerOwn + their team members' folders
managerOwn folder only
mediabuyerOwn folder only
financeOwn folder only
viewerOwn folder only

There is no canViewTeam flag — the role decides visibility directly. The Members switcher appears for roles that can see more than their own folder (super_admin / admin / owner).

Layer 2: Google Drive permissions

Implemented via the Drive permissions API, called by creative-hub-sharing.route.ts:

  • Wevion uses role='writer' (read + edit) + type='user' (specific email)
  • The share is folder-level — it grants access to the user's whole Creative Hub folder, not a single file

This layer controls who can open the folder directly in Drive (outside Wevion UI). Wevion's Service Account is always the owner; everyone else's access is via these explicit shares.

How the two layers interact

ScenarioWevion accessDrive access
You uploaded the file✅ (own session)Only via app (Service Account owns; not auto-shared with you in Drive)
super_admin / admin viewing another user's file✅ (role-based visibility)❌ (not shared with their Drive)
Shared via ch-105 externallyDepends on Wevion role✅ (Drive share writes via API)
Teammate in same workspace, no explicit share❌ (Wevion blocks)❌ (no Drive permission either)

The two layers are independent:

  • Wevion visibility ≠ Drive access
  • Sharing in Drive ≠ adding to Wevion view (Wevion still gates view)

Why two layers?

  • Wevion RBAC controls what teammates see inside Wevion — fast in-app gating without round-tripping to Drive
  • Drive permissions control external collaborators — gives non-Wevion users a way to access files without an account

Trying to merge them would either:

  • Force Drive-level enforcement for all Wevion views (slow + auth round-trip per render)
  • Force all sharing through Wevion (impossible for external non-Wevion users)

The two-layer model accepts the trade-off: a bit of mental overhead for admins, but clean separation of concerns.

Audit considerations

Creative Hub actions are not written to the Wevion audit log — there is no creative_* audit action in the code (no creative_view, creative_upload, creative_share, etc.). To see current external grants, use GET /api/v1/creative-hub/shared-emails. The general audit log lives at /api/v1/audit-log and covers other lifecycle events, not Creative Hub.

Common scenarios

Scenario A: Teammate can't see a file you uploaded

  • They have mediabuyer role + no explicit share
  • Wevion RBAC blocks → expected behavior
  • Fix: add to shared team folder OR use ch-105 with their email (note: ch-105 goes to Drive, not in-app — for in-app visibility, use team folder workflow)
  • You shared via Wevion's UI (a sharing record exists)
  • But the underlying Drive permission API call may have failed
  • Fix: re-share via ch-105; check GET /api/v1/creative-hub/shared-emails for current grants

Scenario C: super_admin / admin sees another user's folder but can't open the file in Drive

  • Wevion's role-based visibility allows the in-app view
  • But no Drive permission was ever granted to your personal Drive
  • Fix: this is expected — Wevion fetches via the Service Account on your behalf; if you need to open directly in Drive, ask the owner to share with your Drive email via ch-105

Best practices

Treat Wevion + Drive layers separately

When sharing: ask "do I want this person to see it in Wevion, or in Drive, or both?". Answer drives whether you use team folder workflow vs explicit share.

Review Drive shares periodically

External Drive shares accumulate. Periodically review GET /api/v1/creative-hub/shared-emails to identify stale grants and revoke them.

Remember non-privileged roles see only their own folder

Roles like finance, manager, mediabuyer, and viewer see only their own Creative Hub folder — they can't browse others' creatives unless a folder is explicitly shared with them via Drive.

Common mistakes

  • Expecting Wevion visibility = Drive access: they're independent
  • Sharing externally to give a teammate in-app view: wrong layer. Use team folder workflow.
  • Forgetting Wevion's Service Account is the file owner: removing the Service Account from a file = no one can access it including Wevion itself

FAQ

Why can a teammate see a file in Wevion but not open it in Google Drive?

Because Wevion enforces two independent RBAC layers. Layer 1 is Wevion in-app visibility via getVisibleSessionIds(db, callerId, callerRole) — for example a super_admin or admin sees all users' folders by role. Layer 2 is Google Drive permissions for opening files directly in Drive. Wevion fetches files via the Service Account on your behalf, so in-app view never implies a Drive-level share.

Which roles can see everyone's Creative Hub files?

super_admin and admin can see every user's folders and files. An owner sees their own plus their team members' folders. Every other role — manager, mediabuyer, finance, viewer — sees only their own folder. There is no canViewTeam flag; the role decides visibility directly, and the Members switcher shows for the roles that can see beyond their own folder.

How do I give a teammate in-app visibility to a file I uploaded?

Use the shared team folder workflow, not external sharing. If a mediabuyer teammate has no explicit share, Wevion's Layer 1 RBAC blocks their view — that is expected. Sharing via ch-105 writes a Google Drive permission (Layer 2) for direct Drive access, but it does not add the file to their in-app Wevion view.

What happens if the Service Account is removed from a file?

No one can access it, including Wevion itself, because Wevion's Service Account is always the file owner and fetches files on your behalf. Wevion shares files externally using the Drive permissions API with role='writer' and type='user' by default, but the Service Account must retain ownership for any access to work.