Appearance
Role-Based Access Model
WedoCOD uses a role-based access control (RBAC) system. API access and dashboard capabilities are determined by the user's role. Each role is granted a defined set of permissions that map to specific resources and actions.
Roles Documented
This documentation covers the two primary public-facing roles:
| Role | Description |
|---|---|
| Admin | Full operational access. Manages team, products, orders, warehouses, shipping, statistics, and configuration. |
| Seller | Read-heavy access with done-for-you fulfillment. Can view and export most resources; limited write access. |
How Permissions Work
Each permission combines a resource and an action. The standard actions available in the system are:
| Action | API Equivalent | Description |
|---|---|---|
| List | GET /resource | Retrieve a paginated list of records |
| Retrieve | GET /resource/:id | Get a single record by ID |
| Create | POST /resource | Create a new record |
| Update | PUT /resource/:id | Update an existing record |
| Delete | DELETE /resource/:id | Remove a record |
| Export | GET /resource/export | Export records to a file |
| Import | POST /resource/import | Import records from a file |
Access is enforced at the API level. If a role does not have permission for a given resource and action, the API returns 403 Forbidden.
Admin Access Summary
Admins have full CRUD access to most resources in their workspace.
| Resource | List | Retrieve | Create | Update | Delete | Export | Import |
|---|---|---|---|---|---|---|---|
| Products | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Stocks | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Stock Histories | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Orders | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Order Histories | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Leads | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Lead Histories | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Warehouses | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Shipping Companies | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Categories | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Invoices | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Notifications | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Roles | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Webhooks | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Users | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Applications | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Call Centers | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Sheets | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cities | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Areas | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Statistics | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Dashboard | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
TIP
For the complete resource-by-resource breakdown with endpoint details, see Permissions Matrix.
Seller Access Summary
Sellers have read-heavy access, with limited write operations.
| Resource | List | Retrieve | Create | Update | Delete | Export | Import |
|---|---|---|---|---|---|---|---|
| Products | ✅ | ✅ | — | ✅ | — | ✅ | ✅ |
| Stocks | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Marketplace Products | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Marketplace Stocks | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Stock Histories | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Orders | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Order Histories | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Leads | ✅ | ✅ | — | — | ✅ | ✅ | ✅ |
| Lead Histories | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Warehouses | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Notifications | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Invoices | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Sourcings | ✅ | ✅ | ✅ | — | — | ✅ | ✅ |
| Sourcing Messages | ✅ | ✅ | ✅ | — | — | ✅ | ✅ |
| Webhooks | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Applications | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Team Members | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Settings | ✅ | — | — | ✅ | — | — | — |
| Statistics | ✅ | ✅ | — | — | — | ✅ | ✅ |
| Dashboard | ✅ | ✅ | — | — | — | ✅ | ✅ |
Order Deletion
Sellers can delete orders that are in New or Out of Stock status only. Orders in other statuses are read-only.
TIP
For the complete resource-by-resource breakdown with endpoint details, see Permissions Matrix.
Access Enforcement
- All API requests are authenticated via Bearer token (Laravel Sanctum).
- Permissions are enforced server-side on every request.
- Attempting to access a resource or action outside your role's permissions returns
403 Forbidden. - Subscription status is also validated — write operations require an active subscription.