Roles & Permissions

Flo uses a flags-based role system where roles are additive — higher roles automatically include all lower role permissions.

Role Hierarchy

SuperAdmin (16)
  └── Admin (8)
       └── Pro (4)
            └── User (2)
                 └── Unactivated (1)

Role	Value	Description
SuperAdmin	16	Full platform control. Can manage all settings, users, and system configuration
Admin	8	Studio/agency administrator. Manages users, activities, bookings, and content
Pro	4	Professional/instructor. Can view bookings, manage own schedule
User	2	Regular user. Can book activities, manage own profile
Unactivated	1	Registered but not yet activated by admin

Roles are stored as a flags enum with bitwise checking. A SuperAdmin has value 16, which automatically passes checks for Admin (8), Pro (4), and User (2).

Backend Authorization

Controller-Level

[Authorize(Roles = "SuperAdmin")]
public async Task<ActionResult> SuperAdminOnly() { }

[Authorize(Roles = "Admin,SuperAdmin")]
public async Task<ActionResult> AdminAction() { }

[Authorize] // Any authenticated user
public async Task<ActionResult> AnyUser() { }

Service-Level

// Check role in service logic
if (!RoleChecker.UserHasRole(user.Role, UserRole.Admin))
    return Forbid();

Frontend Authorization

Route Guards

// Require authentication
{ path: 'dashboard', canActivate: [AuthGuard] }

// Require admin role
{ path: 'admin', canActivate: [AuthGuard, AdminGuard] }

// Require feature flag
{ path: 'bookings', canActivate: [FeatureFlagGuard], data: { ff: 'enable_bookings' } }

Template Visibility

@if (store.isSuperAdmin$ | async) {
  <!-- SuperAdmin-only content -->
}

@if (store.isAdmin$ | async) {
  <!-- Admin and SuperAdmin content -->
}

What Each Role Can Do

User

View and book available activities/lessons
Cancel own bookings (respecting cancellation rules)
Manage own profile (name, email, photo)
View own booking history and subscriptions

Pro (Professional/Instructor)

Everything a User can do
View participants for their assigned activities
Manage their own schedule

Admin

Everything a Pro can do
Manage users (activate, deactivate, change roles)
Create and manage activities/services
Manage bookings for all users
Configure studio closures and holidays
Manage blog content, newsletter, and gallery
View business analytics dashboard
Configure locations and professionals

SuperAdmin

Everything an Admin can do
Manage system settings and feature flags
Access diagnostic endpoints
Manage API tokens for public API access
Configure webhook integrations
Access security and system health information

Key Files

File	Purpose
`Flo.BE/Models/UserRole.cs`	Role enum definition
`Flo.BE/Helpers/RoleChecker.cs`	Role checking utility
`Flo.FE/src/app/guards/admin.guard.ts`	Admin role route guard
`Flo.FE/src/app/guards/auth.guard.ts`	Authentication guard

Role Hierarchy​

Backend Authorization​

Controller-Level​

Service-Level​

Frontend Authorization​

Route Guards​

Template Visibility​

What Each Role Can Do​

User​

Pro (Professional/Instructor)​

Admin​

SuperAdmin​

Key Files​