antosubash · antosubash · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/framework/SimpleModule.Core/Authorization/PermissionAuthorizationHandler.cs b/framework/SimpleModule.Core/Authorization/PermissionAuthorizationHandler.cs
@@ -1,5 +1,6 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
+using SimpleModule.Core.Extensions;
 
 namespace SimpleModule.Core.Authorization;
 
@@ -10,31 +11,9 @@ protected override Task HandleRequirementAsync(
         PermissionRequirement requirement
     )
     {
-        // Admin role bypasses all permission checks
-        if (context.User.IsInRole(WellKnownRoles.Admin))
+        if (context.User.HasPermission(requirement.Permission))
         {
             context.Succeed(requirement);
-            return Task.CompletedTask;
-        }
-
-        // Exact match (fast path)
-        if (context.User.HasClaim("permission", requirement.Permission))
-        {
-            context.Succeed(requirement);
-            return Task.CompletedTask;
-        }
-
-        // Wildcard match: check all permission claims for wildcard patterns
-        foreach (var claim in context.User.Claims)
-        {
-            if (
-                claim.Type == "permission"
-                && PermissionMatcher.IsMatch(claim.Value, requirement.Permission)
-            )
-            {
-                context.Succeed(requirement);
-                return Task.CompletedTask;
-            }
         }
 
         return Task.CompletedTask;

diff --git a/framework/SimpleModule.Core/Authorization/WellKnownClaims.cs b/framework/SimpleModule.Core/Authorization/WellKnownClaims.cs
@@ -0,0 +1,6 @@
+namespace SimpleModule.Core.Authorization;
+
+public static class WellKnownClaims
+{
+    public const string Permission = "permission";
+}
diff --git a/framework/SimpleModule.Core/Extensions/ClaimsPrincipalExtensions.cs b/framework/SimpleModule.Core/Extensions/ClaimsPrincipalExtensions.cs
@@ -21,4 +21,30 @@ public static class ClaimsPrincipalExtensions
     {
         return principal.IsInRole(WellKnownRoles.Admin) ? null : principal.GetUserId();
     }
+
+    /// <summary>
+    /// Returns true if the principal satisfies the given permission requirement.
+    /// Admin role bypasses the check; otherwise the user's "permission" claims are
+    /// matched (exact and wildcard) against <paramref name="permission"/>.
+    /// </summary>
+    public static bool HasPermission(this ClaimsPrincipal principal, string permission)
+    {
+        if (principal.IsInRole(WellKnownRoles.Admin))
+        {
+            return true;
+        }
+
+        foreach (var claim in principal.Claims)
+        {
+            if (
+                claim.Type == WellKnownClaims.Permission
+                && PermissionMatcher.IsMatch(claim.Value, permission)
+            )
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
 }
diff --git a/framework/SimpleModule.Core/Menu/MenuItem.cs b/framework/SimpleModule.Core/Menu/MenuItem.cs
@@ -22,4 +22,11 @@ public sealed class MenuItem
     /// An empty list means visible to all authenticated users.
     /// </summary>
     public IReadOnlyList<string> Roles { get; init; } = [];
+
+    /// <summary>
+    /// When set, this menu item is only visible to users whose permission claims
+    /// satisfy the requirement (supports wildcards via PermissionMatcher).
+    /// Admin role bypasses this check. Null means no permission gating.
+    /// </summary>
+    public string? RequiredPermission { get; init; }
 }
diff --git a/framework/SimpleModule.Hosting/Middleware/InertiaLayoutDataMiddleware.cs b/framework/SimpleModule.Hosting/Middleware/InertiaLayoutDataMiddleware.cs
@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
+using SimpleModule.Core.Extensions;
 using SimpleModule.Core.Inertia;
 using SimpleModule.Core.Menu;
 
@@ -45,7 +46,13 @@ IReadOnlyList<MenuItem> Filter(MenuSection section)
                     }
 
                     return items
-                        .Where(m => m.Roles.Count == 0 || m.Roles.Any(r => user.IsInRole(r)))
+                        .Where(m =>
+                            (m.Roles.Count == 0 || m.Roles.Any(r => user.IsInRole(r)))
+                            && (
+                                m.RequiredPermission is null
+                                || user.HasPermission(m.RequiredPermission)
+                            )
+                        )
                         .ToList();
                 }
 

diff --git a/modules/Dashboard/src/SimpleModule.Dashboard/Pages/Home.tsx b/modules/Dashboard/src/SimpleModule.Dashboard/Pages/Home.tsx
@@ -30,15 +30,21 @@ interface HomeProps {
 
 export default function Home({ isAuthenticated, displayName, isDevelopment }: HomeProps) {
   return isAuthenticated ? (
-    <DashboardView displayName={displayName} />
+    <DashboardView displayName={displayName} isDevelopment={isDevelopment} />
   ) : (
     <LandingView isDevelopment={isDevelopment} />
   );
 }
 
 // --- Dashboard View ---
 
-function DashboardView({ displayName }: { displayName: string }) {
+function DashboardView({
+  displayName,
+  isDevelopment,
+}: {
+  displayName: string;
+  isDevelopment: boolean;
+}) {
   const { t } = useTranslation('Dashboard');
   return (
     <PageShell
@@ -73,32 +79,34 @@ function DashboardView({ displayName }: { displayName: string }) {
             </CardContent>
           </Card>
         </a>
-        <a href="/swagger" className="no-underline">
-          <Card className="h-full group">
-            <CardContent>
-              <div className="flex items-center gap-3 mb-3">
-                <span className="w-9 h-9 rounded-xl flex items-center justify-center text-accent bg-success-bg">
-                  <svg
-                    className="w-[18px] h-[18px]"
-                    fill="none"
-                    stroke="currentColor"
-                    strokeWidth="2"
-                    viewBox="0 0 24 24"
-                    aria-hidden="true"
-                  >
-                    <path d="M10 20l4-16m4 4l4 4-4 4M6 16l-4-4 4-4" />
-                  </svg>
-                </span>
-                <span className="text-sm font-semibold text-text group-hover:text-primary transition-colors">
-                  {t(DashboardKeys.Home.ApiDocsCardTitle)}
-                </span>
-              </div>
-              <p className="text-xs text-text-muted">
-                {t(DashboardKeys.Home.ApiDocsCardDescription)}
-              </p>
-            </CardContent>
-          </Card>
-        </a>
+        {isDevelopment && (
+          <a href="/swagger" className="no-underline">
+            <Card className="h-full group">
+              <CardContent>
+                <div className="flex items-center gap-3 mb-3">
+                  <span className="w-9 h-9 rounded-xl flex items-center justify-center text-accent bg-success-bg">
+                    <svg
+                      className="w-[18px] h-[18px]"
+                      fill="none"
+                      stroke="currentColor"
+                      strokeWidth="2"
+                      viewBox="0 0 24 24"
+                      aria-hidden="true"
+                    >
+                      <path d="M10 20l4-16m4 4l4 4-4 4M6 16l-4-4 4-4" />
+                    </svg>
+                  </span>
+                  <span className="text-sm font-semibold text-text group-hover:text-primary transition-colors">
+                    {t(DashboardKeys.Home.ApiDocsCardTitle)}
+                  </span>
+                </div>
+                <p className="text-xs text-text-muted">
+                  {t(DashboardKeys.Home.ApiDocsCardDescription)}
+                </p>
+              </CardContent>
+            </Card>
+          </a>
+        )}
         <a href="/health/live" className="no-underline">
           <Card className="h-full group">
             <CardContent>
@@ -569,13 +577,17 @@ function LandingView({ isDevelopment }: { isDevelopment: boolean }) {
         )}
 
         <div className="flex gap-5 justify-center mt-8 text-sm">
-          <a
-            href="/swagger"
-            className="text-text-muted no-underline hover:text-primary transition-colors"
-          >
-            {t(DashboardKeys.Home.LandingApiDocs)}
-          </a>
-          <span className="text-border">&middot;</span>
+          {isDevelopment && (
+            <>
+              <a
+                href="/swagger"
+                className="text-text-muted no-underline hover:text-primary transition-colors"
+              >
+                {t(DashboardKeys.Home.LandingApiDocs)}
+              </a>
+              <span className="text-border">&middot;</span>
+            </>
+          )}
           <a
             href="/health/live"
             className="text-text-muted no-underline hover:text-primary transition-colors"

diff --git a/modules/Datasets/src/SimpleModule.Datasets/DatasetsModule.cs b/modules/Datasets/src/SimpleModule.Datasets/DatasetsModule.cs
@@ -60,6 +60,7 @@ public void ConfigureMenu(IMenuBuilder menus)
                     """<svg class="w-4 h-4" fill="none" stroke="currentColor" stroke-width="2" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" d="M9 20l-5.447-2.724A1 1 0 013 16.382V5.618a1 1 0 011.447-.894L9 7m0 13l6-3m-6 3V7m6 10l5.447 2.724A1 1 0 0021 18.382V7.618a1 1 0 00-1.447-.894L15 4m0 13V4m0 0L9 7"/></svg>""",
                 Order = 55,
                 Section = MenuSection.AppSidebar,
+                RequiredPermission = DatasetsPermissions.View,
             }
         );
     }

diff --git a/modules/FileStorage/src/SimpleModule.FileStorage/FileStorageModule.cs b/modules/FileStorage/src/SimpleModule.FileStorage/FileStorageModule.cs
@@ -37,6 +37,7 @@ public void ConfigureMenu(IMenuBuilder menus)
                     """<svg class="w-4 h-4" fill="none" stroke="currentColor" stroke-width="2" viewBox="0 0 24 24"><path d="M3 7v10a2 2 0 002 2h14a2 2 0 002-2V9a2 2 0 00-2-2h-6l-2-2H5a2 2 0 00-2 2z"/></svg>""",
                 Order = 50,
                 Section = MenuSection.AppSidebar,
+                RequiredPermission = FileStoragePermissions.View,
             }
         );
     }

diff --git a/template/SimpleModule.Host/Program.cs b/template/SimpleModule.Host/Program.cs
@@ -20,4 +20,12 @@
 await app.UseSimpleModule();
 app.MapDefaultEndpoints();
 
+app.MapGet(
+        "/favicon.ico",
+        (IWebHostEnvironment env) =>
+            Results.File(Path.Combine(env.WebRootPath, "favicon.svg"), "image/svg+xml")
+    )
+    .ExcludeFromDescription()
+    .AllowAnonymous();
+
 await app.RunAsync();
diff --git a/tests/SimpleModule.Core.Tests/Extensions/ClaimsPrincipalExtensionsTests.cs b/tests/SimpleModule.Core.Tests/Extensions/ClaimsPrincipalExtensionsTests.cs
@@ -0,0 +1,63 @@
+using System.Security.Claims;
+using FluentAssertions;
+using SimpleModule.Core.Extensions;
+
+namespace SimpleModule.Core.Tests.Extensions;
+
+public class ClaimsPrincipalExtensionsTests
+{
+    [Fact]
+    public void HasPermission_AdminRole_ReturnsTrue()
+    {
+        var user = CreateUser(new Claim(ClaimTypes.Role, "Admin"));
+
+        user.HasPermission("Anything.Goes").Should().BeTrue();
+    }
+
+    [Fact]
+    public void HasPermission_ExactClaimMatch_ReturnsTrue()
+    {
+        var user = CreateUser(new Claim("permission", "Products.View"));
+
+        user.HasPermission("Products.View").Should().BeTrue();
+    }
+
+    [Fact]
+    public void HasPermission_WildcardClaimMatch_ReturnsTrue()
+    {
+        var user = CreateUser(new Claim("permission", "Products.*"));
+
+        user.HasPermission("Products.View").Should().BeTrue();
+        user.HasPermission("Products.Delete").Should().BeTrue();
+    }
+
+    [Fact]
+    public void HasPermission_GlobalWildcardClaim_ReturnsTrue()
+    {
+        var user = CreateUser(new Claim("permission", "*"));
+
+        user.HasPermission("Foo").Should().BeTrue();
+    }
+
+    [Fact]
+    public void HasPermission_NoMatchingClaim_ReturnsFalse()
+    {
+        var user = CreateUser(new Claim("permission", "Orders.View"));
+
+        user.HasPermission("Products.View").Should().BeFalse();
+    }
+
+    [Fact]
+    public void HasPermission_EmptyPrincipal_ReturnsFalse()
+    {
+        var user = new ClaimsPrincipal(new ClaimsIdentity());
+
+        user.HasPermission("Anything").Should().BeFalse();
+    }
+
+    private static ClaimsPrincipal CreateUser(params Claim[] claims)
+    {
+        var identity = new ClaimsIdentity(claims, "Test");
+        return new ClaimsPrincipal(identity);
+    }
+}