From db0679fe05d9fe82ace40f71b9f79904d47101a6 Mon Sep 17 00:00:00 2001 From: Aditya Rathore <153427299+AdityaDRathore@users.noreply.github.com> Date: Tue, 27 May 2025 16:18:44 +0000 Subject: [PATCH 1/7] feat: add resource ownership rules and permissions management --- .../src/authorization/constants/ownership.ts | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 backend/src/authorization/constants/ownership.ts diff --git a/backend/src/authorization/constants/ownership.ts b/backend/src/authorization/constants/ownership.ts new file mode 100644 index 0000000..dfaf4de --- /dev/null +++ b/backend/src/authorization/constants/ownership.ts @@ -0,0 +1,96 @@ +/** + * Resource ownership rules + * + * Defines who owns what resources and how ownership affects permissions + */ + +import { Permission } from './permissions'; + +// Resource types in the system +export enum ResourceType { + USER = 'user', + BOOKING = 'booking', + LAB = 'lab', + TIME_SLOT = 'time_slot', + WAITLIST = 'waitlist', + NOTIFICATION = 'notification', + ORGANIZATION = 'organization', + ADMIN = 'admin', +} + +// Ownership verification functions +export interface OwnershipVerifier { + /** + * Check if a user owns a resource + * @param userId The ID of the user + * @param resourceId The ID of the resource + * @returns Promise resolving to boolean indicating ownership + */ + verifyOwnership: (userId: string, resourceId: string) => Promise; + + /** + * Check if a user belongs to the same organization as a resource + * @param userId The ID of the user + * @param resourceId The ID of the resource + * @returns Promise resolving to boolean indicating same organization + */ + verifySameOrganization?: (userId: string, resourceId: string) => Promise; +} + +// Permissions that bypass ownership checks +export const OWNERSHIP_BYPASS_PERMISSIONS: Record = { + [ResourceType.USER]: ['users:read', 'users:update', 'users:delete', 'users:reset_password'], + [ResourceType.BOOKING]: ['bookings:read_all', 'bookings:update_any', 'bookings:cancel_any'], + [ResourceType.LAB]: ['labs:update', 'labs:delete'], + [ResourceType.TIME_SLOT]: ['time_slots:update', 'time_slots:delete'], + [ResourceType.WAITLIST]: ['waitlists:read_all', 'waitlists:manage'], + [ResourceType.NOTIFICATION]: ['notifications:send'], + [ResourceType.ORGANIZATION]: ['organizations:update', 'organizations:delete'], + [ResourceType.ADMIN]: ['admins:update', 'admins:delete'], +}; + +/** + * Ownership rules for different resource types + * Describes who can own a resource and what constitutes ownership + */ +export const OWNERSHIP_RULES = { + [ResourceType.USER]: { + description: 'A user owns their own profile and data', + ownerField: 'id', // The field that identifies the owner in the User model + }, + + [ResourceType.BOOKING]: { + description: 'A user owns bookings they have created', + ownerField: 'user_id', // The field that identifies the owner in the Booking model + }, + + [ResourceType.LAB]: { + description: 'An admin owns labs they are assigned to manage', + ownerField: 'adminId', // The field that identifies the owner in the Lab model + }, + + [ResourceType.TIME_SLOT]: { + description: 'A lab admin owns time slots for their labs', + ownerField: null, // Requires special logic - check if user is admin of the lab + }, + + [ResourceType.WAITLIST]: { + description: 'A user owns their own waitlist entries', + ownerField: 'user_id', // The field that identifies the owner in the Waitlist model + }, + + [ResourceType.NOTIFICATION]: { + description: 'A user owns notifications addressed to them', + ownerField: 'user_id', // The field that identifies the owner in the Notification model + }, + + [ResourceType.ORGANIZATION]: { + description: 'A super admin manages organizations', + ownerField: 'superAdminId', // The field that identifies the owner in the Organization model + }, + + [ResourceType.ADMIN]: { + description: 'A super admin manages admin accounts', + ownerField: null, // Requires special logic - only super admins can manage admins + }, +}; From 43f5a06ef89e5c8b74b33e388d7e41ee25c30feb Mon Sep 17 00:00:00 2001 From: Aditya Rathore <153427299+AdityaDRathore@users.noreply.github.com> Date: Tue, 27 May 2025 16:19:00 +0000 Subject: [PATCH 2/7] feat: add permission constants for user, admin, and super admin roles --- .../authorization/constants/permissions.ts | 108 ++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 backend/src/authorization/constants/permissions.ts diff --git a/backend/src/authorization/constants/permissions.ts b/backend/src/authorization/constants/permissions.ts new file mode 100644 index 0000000..3024d3e --- /dev/null +++ b/backend/src/authorization/constants/permissions.ts @@ -0,0 +1,108 @@ +/** + * Permission constants for the Time-Booking Application + * + * Format: [RESOURCE]:[ACTION] + * This provides a granular and consistent permission structure + */ + +// User permissions +export const USER_PERMISSIONS = { + // Self management + READ_SELF: 'users:read_self', + UPDATE_SELF: 'users:update_self', + DELETE_SELF: 'users:delete_self', + + // Organization access + READ_ORGANIZATION: 'organizations:read', + + // Lab access + READ_LABS: 'labs:read', + + // Time slot access + READ_TIME_SLOTS: 'time_slots:read', + + // Booking permissions + CREATE_BOOKING: 'bookings:create', + READ_OWN_BOOKINGS: 'bookings:read_own', + UPDATE_OWN_BOOKING: 'bookings:update_own', + CANCEL_OWN_BOOKING: 'bookings:cancel_own', + + // Waitlist permissions + JOIN_WAITLIST: 'waitlists:join', + LEAVE_WAITLIST: 'waitlists:leave', + READ_OWN_WAITLIST: 'waitlists:read_own', + + // Notification permissions + READ_OWN_NOTIFICATIONS: 'notifications:read_own', + UPDATE_OWN_NOTIFICATION: 'notifications:update_own', +}; + +// Admin permissions +export const ADMIN_PERMISSIONS = { + // User management + READ_USERS: 'users:read', + UPDATE_USERS: 'users:update', + DELETE_USERS: 'users:delete', + RESET_USER_PASSWORD: 'users:reset_password', + + // Organization management + READ_ORGANIZATION_DETAILS: 'organizations:read_details', + + // Lab management + CREATE_LAB: 'labs:create', + UPDATE_LAB: 'labs:update', + DELETE_LAB: 'labs:delete', + + // Time slot management + CREATE_TIME_SLOT: 'time_slots:create', + UPDATE_TIME_SLOT: 'time_slots:update', + DELETE_TIME_SLOT: 'time_slots:delete', + + // Booking management + READ_ALL_BOOKINGS: 'bookings:read_all', + UPDATE_ANY_BOOKING: 'bookings:update_any', + CANCEL_ANY_BOOKING: 'bookings:cancel_any', + + // Waitlist management + READ_WAITLISTS: 'waitlists:read_all', + MANAGE_WAITLISTS: 'waitlists:manage', + + // Reporting + VIEW_LAB_REPORTS: 'reports:view_lab', + + // Notification management + SEND_NOTIFICATIONS: 'notifications:send', +}; + +// Super Admin permissions +export const SUPER_ADMIN_PERMISSIONS = { + // Organization management + CREATE_ORGANIZATION: 'organizations:create', + UPDATE_ORGANIZATION: 'organizations:update', + DELETE_ORGANIZATION: 'organizations:delete', + + // Admin management + CREATE_ADMIN: 'admins:create', + READ_ADMINS: 'admins:read', + UPDATE_ADMIN: 'admins:update', + DELETE_ADMIN: 'admins:delete', + + // System-wide permissions + SYSTEM_CONFIGURATION: 'system:configure', + VIEW_SYSTEM_REPORTS: 'reports:view_system', + SEND_SYSTEM_ANNOUNCEMENTS: 'announcements:send', +}; + +// Combine all permissions for easier reference +export const ALL_PERMISSIONS = { + ...USER_PERMISSIONS, + ...ADMIN_PERMISSIONS, + ...SUPER_ADMIN_PERMISSIONS, +}; + +// Export types for TypeScript +export type Permission = (typeof ALL_PERMISSIONS)[keyof typeof ALL_PERMISSIONS]; +export type UserPermission = (typeof USER_PERMISSIONS)[keyof typeof USER_PERMISSIONS]; +export type AdminPermission = (typeof ADMIN_PERMISSIONS)[keyof typeof ADMIN_PERMISSIONS]; +export type SuperAdminPermission = + (typeof SUPER_ADMIN_PERMISSIONS)[keyof typeof SUPER_ADMIN_PERMISSIONS]; From e73f0e5a5156740e3b89d7a5a456c4e1b977b9ff Mon Sep 17 00:00:00 2001 From: Aditya Rathore <153427299+AdityaDRathore@users.noreply.github.com> Date: Tue, 27 May 2025 16:19:07 +0000 Subject: [PATCH 3/7] feat: implement role-based permission mappings and hierarchy --- backend/src/authorization/constants/roles.ts | 74 ++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 backend/src/authorization/constants/roles.ts diff --git a/backend/src/authorization/constants/roles.ts b/backend/src/authorization/constants/roles.ts new file mode 100644 index 0000000..d92ecbb --- /dev/null +++ b/backend/src/authorization/constants/roles.ts @@ -0,0 +1,74 @@ +import { UserRole } from '@prisma/client'; +import { + USER_PERMISSIONS, + ADMIN_PERMISSIONS, + SUPER_ADMIN_PERMISSIONS, + Permission, +} from './permissions'; + +/** + * Role-based permission mappings + * + * Each role is assigned a set of permissions. Roles higher in the hierarchy + * inherit all permissions from roles below them. + */ + +// Define permissions for each role +const ROLE_PERMISSIONS: Record = { + USER: Object.values(USER_PERMISSIONS), + + ADMIN: [...Object.values(USER_PERMISSIONS), ...Object.values(ADMIN_PERMISSIONS)], + + SUPER_ADMIN: [ + ...Object.values(USER_PERMISSIONS), + ...Object.values(ADMIN_PERMISSIONS), + ...Object.values(SUPER_ADMIN_PERMISSIONS), + ], +}; + +/** + * Get all permissions for a specific role + * @param role The user role to get permissions for + * @returns Array of permission strings + */ +export const getPermissionsForRole = (role: UserRole): Permission[] => { + return ROLE_PERMISSIONS[role] || []; +}; + +/** + * Check if a role has a specific permission + * @param role The user role to check + * @param permission The permission to check for + * @returns Boolean indicating if the role has the permission + */ +export const roleHasPermission = (role: UserRole, permission: Permission): boolean => { + return ROLE_PERMISSIONS[role]?.includes(permission) || false; +}; + +/** + * Role hierarchy definition for inheritance checks + * Roles can access resources that roles below them can access + */ +export const ROLE_HIERARCHY: Record = { + USER: [], + ADMIN: ['USER'], + SUPER_ADMIN: ['USER', 'ADMIN'], +}; + +/** + * Check if one role is higher than another in the hierarchy + * @param role The role to check + * @param thanRole The role to compare against + * @returns Boolean indicating if role is higher than thanRole + */ +export const isRoleHigherThan = (role: UserRole, thanRole: UserRole): boolean => { + return ROLE_HIERARCHY[role]?.includes(thanRole) || false; +}; + +// Export role descriptions for documentation +export const ROLE_DESCRIPTIONS = { + USER: 'Regular user who can book, reschedule, and cancel lab time slots', + ADMIN: 'Lab administrator who manages labs, time slots, and users within their organization', + SUPER_ADMIN: + 'System administrator with complete control over all organizations and system settings', +}; From 59d21884aa0a8ec3f9d3aceb48e3145a07f5229c Mon Sep 17 00:00:00 2001 From: Aditya Rathore <153427299+AdityaDRathore@users.noreply.github.com> Date: Tue, 27 May 2025 16:19:13 +0000 Subject: [PATCH 4/7] feat: add rbacMiddleware for role-based access control --- backend/src/authorization/middleware/rbacMiddleware.ts | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 backend/src/authorization/middleware/rbacMiddleware.ts diff --git a/backend/src/authorization/middleware/rbacMiddleware.ts b/backend/src/authorization/middleware/rbacMiddleware.ts new file mode 100644 index 0000000..e69de29 From 15eb3bd7bb73dd7e2ad2054d8053de3331a3f9ac Mon Sep 17 00:00:00 2001 From: Aditya Rathore <153427299+AdityaDRathore@users.noreply.github.com> Date: Tue, 27 May 2025 16:19:22 +0000 Subject: [PATCH 5/7] feat: implement permission checking and resource access control logic --- .../authorization/utils/permissionChecker.ts | 154 ++++++++++++++++++ 1 file changed, 154 insertions(+) create mode 100644 backend/src/authorization/utils/permissionChecker.ts diff --git a/backend/src/authorization/utils/permissionChecker.ts b/backend/src/authorization/utils/permissionChecker.ts new file mode 100644 index 0000000..91110ca --- /dev/null +++ b/backend/src/authorization/utils/permissionChecker.ts @@ -0,0 +1,154 @@ +import { Permission } from '../constants/permissions'; +import { getPermissionsForRole } from '../constants/roles'; +import { ResourceType, OWNERSHIP_BYPASS_PERMISSIONS } from '../constants/ownership'; +import { PrismaClient, UserRole } from '@prisma/client'; + +const prisma = new PrismaClient(); + +/** + * User with role information + */ +interface AuthUser { + id: string; + user_role: UserRole; + organizationId?: string | null; +} + +/** + * Check if a user has a specific permission + * @param user The authenticated user + * @param permission The permission to check + * @returns Boolean indicating if the user has the permission + */ +export const hasPermission = (user: AuthUser, permission: Permission): boolean => { + const userPermissions = getPermissionsForRole(user.user_role); + return userPermissions.includes(permission); +}; + +/** + * Check if a user has any of the specified permissions + * @param user The authenticated user + * @param permissions Array of permissions to check + * @returns Boolean indicating if the user has any of the permissions + */ +export const hasAnyPermission = (user: AuthUser, permissions: Permission[]): boolean => { + return permissions.some(permission => hasPermission(user, permission)); +}; + +/** + * Check if a user has all of the specified permissions + * @param user The authenticated user + * @param permissions Array of permissions to check + * @returns Boolean indicating if the user has all of the permissions + */ +export const hasAllPermissions = (user: AuthUser, permissions: Permission[]): boolean => { + return permissions.every(permission => hasPermission(user, permission)); +}; + +/** + * Check if a user can access a specific resource based on ownership and permissions + * @param user The authenticated user + * @param resourceType The type of resource being accessed + * @param resourceId The ID of the resource + * @param permission The permission required for the operation + * @returns Promise resolving to boolean indicating if access is allowed + */ +export const canAccessResource = async ( + user: AuthUser, + resourceType: ResourceType, + resourceId: string, + permission: Permission, +): Promise => { + // First check if user has the permission + if (!hasPermission(user, permission)) { + return false; + } + + // Check if the permission bypasses ownership checks + const bypassPermissions = OWNERSHIP_BYPASS_PERMISSIONS[resourceType] || []; + if (hasAnyPermission(user, bypassPermissions)) { + return true; + } + + // Check ownership based on resource type + switch (resourceType) { + case ResourceType.USER: { + // Users can access their own profiles + return user.id === resourceId; + } + + case ResourceType.BOOKING: { + // Check if user owns the booking + const booking = await prisma.booking.findUnique({ + where: { id: resourceId }, + }); + return booking?.user_id === user.id; + } + + case ResourceType.LAB: { + // For admins, check if they manage the lab + if (user.user_role === 'ADMIN') { + const lab = await prisma.lab.findUnique({ + where: { id: resourceId }, + }); + return lab?.adminId === user.id; + } + // Users can view all labs + return permission === 'labs:read'; + } + + case ResourceType.TIME_SLOT: { + // For admins, check if they manage the lab that contains the time slot + if (user.user_role === 'ADMIN') { + const timeSlot = await prisma.timeSlot.findUnique({ + where: { id: resourceId }, + include: { lab: true }, + }); + return timeSlot?.lab.adminId === user.id; + } + // Users can view all time slots + return permission === 'time_slots:read'; + } + + case ResourceType.WAITLIST: { + // Check if user owns the waitlist entry + const waitlist = await prisma.waitlist.findUnique({ + where: { id: resourceId }, + }); + return waitlist?.user_id === user.id; + } + + case ResourceType.NOTIFICATION: { + // Check if notification is for the user + const notification = await prisma.notification.findUnique({ + where: { id: resourceId }, + }); + return notification?.user_id === user.id; + } + + case ResourceType.ORGANIZATION: { + // Regular users can only view their own organization + if (user.user_role === 'USER') { + return permission === 'organizations:read' && user.organizationId === resourceId; + } + // Admins can view their own organization details + if (user.user_role === 'ADMIN') { + return ( + ['organizations:read', 'organizations:read_details'].includes(permission) && + user.organizationId === resourceId + ); + } + // Super admins can access all organizations + return true; + } + + case ResourceType.ADMIN: { + // Only super admins can manage admins + return user.user_role === 'SUPER_ADMIN'; + } + + default: { + return false; + } + } +}; From 06b8a40764ccc278fe2306fe9f9ab4bfaeb057b6 Mon Sep 17 00:00:00 2001 From: Aditya Rathore <153427299+AdityaDRathore@users.noreply.github.com> Date: Tue, 27 May 2025 16:19:33 +0000 Subject: [PATCH 6/7] feat: add comprehensive permission matrix documentation for role-based access control --- .../authorization/docs/permissionMatrix.md | 157 ++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100644 backend/src/authorization/docs/permissionMatrix.md diff --git a/backend/src/authorization/docs/permissionMatrix.md b/backend/src/authorization/docs/permissionMatrix.md new file mode 100644 index 0000000..0a6474b --- /dev/null +++ b/backend/src/authorization/docs/permissionMatrix.md @@ -0,0 +1,157 @@ +# Permission Matrix + +This document provides a comprehensive overview of permissions in the Time-Booking Application, showing which roles have access to which operations, and how resource ownership affects permissions. + +## Role Hierarchy + +* **User**: Base role for all authenticated users +* **Admin**: Inherits all User permissions plus admin capabilities +* **Super Admin**: Inherits all Admin permissions plus system-wide capabilities + +## Permission Matrix by Resource + +### User Management + +| Operation | Permission | User | Admin | Super Admin | Ownership Rules | +|-----------|------------|------|-------|-------------|----------------| +| View own profile | users:read_self | ✅ | ✅ | ✅ | Self only | +| Update own profile | users:update_self | ✅ | ✅ | ✅ | Self only | +| Delete own account | users:delete_self | ✅ | ✅ | ✅ | Self only | +| View any user | users:read | ❌ | ✅ | ✅ | N/A | +| Update any user | users:update | ❌ | ✅ | ✅ | Users in same organization | +| Delete any user | users:delete | ❌ | ✅ | ✅ | Users in same organization | +| Reset user password | users:reset_password | ❌ | ✅ | ✅ | Users in same organization | + +### Organization Management + +| Operation | Permission | User | Admin | Super Admin | Ownership Rules | +|-----------|------------|------|-------|-------------|----------------| +| View organization basic info | organizations:read | ✅ | ✅ | ✅ | Own organization | +| View organization details | organizations:read_details | ❌ | ✅ | ✅ | Own organization | +| Create organization | organizations:create | ❌ | ❌ | ✅ | N/A | +| Update organization | organizations:update | ❌ | ❌ | ✅ | N/A | +| Delete organization | organizations:delete | ❌ | ❌ | ✅ | N/A | + +### Lab Management + +| Operation | Permission | User | Admin | Super Admin | Ownership Rules | +|-----------|------------|------|-------|-------------|----------------| +| View labs | labs:read | ✅ | ✅ | ✅ | N/A | +| Create lab | labs:create | ❌ | ✅ | ✅ | Within own organization | +| Update lab | labs:update | ❌ | ✅ | ✅ | Labs they manage | +| Delete lab | labs:delete | ❌ | ✅ | ✅ | Labs they manage | + +### Time Slot Management + +| Operation | Permission | User | Admin | Super Admin | Ownership Rules | +|-----------|------------|------|-------|-------------|----------------| +| View time slots | time_slots:read | ✅ | ✅ | ✅ | N/A | +| Create time slot | time_slots:create | ❌ | ✅ | ✅ | For labs they manage | +| Update time slot | time_slots:update | ❌ | ✅ | ✅ | For labs they manage | +| Delete time slot | time_slots:delete | ❌ | ✅ | ✅ | For labs they manage | + +### Booking Management + +| Operation | Permission | User | Admin | Super Admin | Ownership Rules | +|-----------|------------|------|-------|-------------|----------------| +| Create booking | bookings:create | ✅ | ✅ | ✅ | N/A | +| View own bookings | bookings:read_own | ✅ | ✅ | ✅ | Self only | +| Update own booking | bookings:update_own | ✅ | ✅ | ✅ | Self only | +| Cancel own booking | bookings:cancel_own | ✅ | ✅ | ✅ | Self only | +| View all bookings | bookings:read_all | ❌ | ✅ | ✅ | Within own organization | +| Update any booking | bookings:update_any | ❌ | ✅ | ✅ | Within own organization | +| Cancel any booking | bookings:cancel_any | ❌ | ✅ | ✅ | Within own organization | + +### Waitlist Management + +| Operation | Permission | User | Admin | Super Admin | Ownership Rules | +|-----------|------------|------|-------|-------------|----------------| +| Join waitlist | waitlists:join | ✅ | ✅ | ✅ | N/A | +| Leave waitlist | waitlists:leave | ✅ | ✅ | ✅ | Self only | +| View own waitlist position | waitlists:read_own | ✅ | ✅ | ✅ | Self only | +| View all waitlists | waitlists:read_all | ❌ | ✅ | ✅ | Within own organization | +| Manage waitlists | waitlists:manage | ❌ | ✅ | ✅ | Within own organization | + +### Notification Management + +| Operation | Permission | User | Admin | Super Admin | Ownership Rules | +|-----------|------------|------|-------|-------------|----------------| +| View own notifications | notifications:read_own | ✅ | ✅ | ✅ | Self only | +| Mark own notification as read | notifications:update_own | ✅ | ✅ | ✅ | Self only | +| Send notifications | notifications:send | ❌ | ✅ | ✅ | To users in same organization | + +### Admin Management + +| Operation | Permission | User | Admin | Super Admin | Ownership Rules | +|-----------|------------|------|-------|-------------|----------------| +| Create admin | admins:create | ❌ | ❌ | ✅ | N/A | +| View admins | admins:read | ❌ | ❌ | ✅ | N/A | +| Update admin | admins:update | ❌ | ❌ | ✅ | N/A | +| Delete admin | admins:delete | ❌ | ❌ | ✅ | N/A | + +### Reporting + +| Operation | Permission | User | Admin | Super Admin | Ownership Rules | +|-----------|------------|------|-------|-------------|----------------| +| View lab reports | reports:view_lab | ❌ | ✅ | ✅ | Labs they manage | +| View system reports | reports:view_system | ❌ | ❌ | ✅ | N/A | + +### System Management + +| Operation | Permission | User | Admin | Super Admin | Ownership Rules | +|-----------|------------|------|-------|-------------|----------------| +| Configure system settings | system:configure | ❌ | ❌ | ✅ | N/A | +| Send system announcements | announcements:send | ❌ | ❌ | ✅ | N/A | + +## Special Cases and Exceptions + +1. **Time-based restrictions**: Some permissions may be restricted based on time. For example: + - Users can only cancel bookings up to 24 hours before the time slot. + - Admins can override time-based restrictions in emergency situations. + +2. **Capacity constraints**: + - Users can only create bookings if capacity is available. + - Admins can override capacity constraints in special circumstances. + +3. **Organizational boundaries**: + - Admins can only manage resources within their own organization. + - Super Admins can access resources across all organizations. + +4. **Waitlist priority**: + - Special rules may apply to waitlist positioning based on organizational policies. + - Admins can override waitlist order in justified cases. + +## Visual Representation + +``` +┌───────────────────┐ +│ SUPER ADMIN │ +│ │ +│ - System config │ +│ - All organizations│ +│ - Create/manage │ +│ admins │ +└─────────┬─────────┘ + │ + │ Inherits + ▼ +┌───────────────────┐ +│ ADMIN │ +│ │ +│ - Manage labs │ +│ - Manage users │ +│ - Override bookings│ +│ - View reports │ +└─────────┬─────────┘ + │ + │ Inherits + ▼ +┌───────────────────┐ +│ USER │ +│ │ +│ - Book slots │ +│ - Cancel bookings │ +│ - Join waitlists │ +│ - View own data │ +└───────────────────┘ +``` \ No newline at end of file From fb27b8ed1858caa83634138917988000d55b3b70 Mon Sep 17 00:00:00 2001 From: Aditya Rathore <153427299+AdityaDRathore@users.noreply.github.com> Date: Tue, 27 May 2025 16:19:42 +0000 Subject: [PATCH 7/7] feat: update permission model tasks to completed status in backend implementation plan --- .../Development Plan Complete.md | 8 ++--- .../Implementation/Develpment Plan Backend.md | 32 +++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/docs/Implementation/Development Plan Complete.md b/docs/Implementation/Development Plan Complete.md index bf2b58c..05aa118 100644 --- a/docs/Implementation/Development Plan Complete.md +++ b/docs/Implementation/Development Plan Complete.md @@ -106,10 +106,10 @@ Corresponds to Backend Plan - PHASE 1 (Day 3 Completion), PHASE 2, PHASE 3 (Day * [x] Task 3.4: Documentation Updates * **Authorization & RBAC Implementation (Backend PHASE 2)** * **Day 1: Permission Model Design** - * [ ] Task 1.1: Define Permission Structure - * [ ] Task 1.2: Role Definitions - * [ ] Task 1.3: Resource Ownership Rules - * [ ] Task 1.4: Permission Matrix Documentation + * [x] Task 1.1: Define Permission Structure + * [x] Task 1.2: Role Definitions + * [x] Task 1.3: Resource Ownership Rules + * [x] Task 1.4: Permission Matrix Documentation * **Day 2: RBAC Middleware Implementation** * [ ] Task 2.1: Enhance Role Middleware * [ ] Task 2.2: Resource Access Control diff --git a/docs/Implementation/Develpment Plan Backend.md b/docs/Implementation/Develpment Plan Backend.md index 757aafc..2001e76 100644 --- a/docs/Implementation/Develpment Plan Backend.md +++ b/docs/Implementation/Develpment Plan Backend.md @@ -63,22 +63,22 @@ **Day 1: Permission Model Design** -* [ ] Task 1.1: Define Permission Structure - * [ ] Create permission constants for all operations. - * [ ] Document permission hierarchy by role. - * [ ] Map permissions to API endpoints. -* [ ] Task 1.2: Role Definitions - * [ ] Finalize role definitions (User, Admin, SuperAdmin). - * [ ] Document capabilities of each role. - * [ ] Define role inheritance if applicable. -* [ ] Task 1.3: Resource Ownership Rules - * [ ] Define ownership rules for different resources. - * [ ] Document how ownership affects permissions. - * [ ] Create ownership verification patterns. -* [ ] Task 1.4: Permission Matrix Documentation - * [ ] Create comprehensive permission matrix for all operations. - * [ ] Document special cases and exceptions. - * [ ] Create visual representation of permission system. +* [x] Task 1.1: Define Permission Structure + * [x] Create permission constants for all operations. + * [x] Document permission hierarchy by role. + * [x] Map permissions to API endpoints. +* [x] Task 1.2: Role Definitions + * [x] Finalize role definitions (User, Admin, SuperAdmin). + * [x] Document capabilities of each role. + * [x] Define role inheritance if applicable. +* [x] Task 1.3: Resource Ownership Rules + * [x] Define ownership rules for different resources. + * [x] Document how ownership affects permissions. + * [x] Create ownership verification patterns. +* [x] Task 1.4: Permission Matrix Documentation + * [x] Create comprehensive permission matrix for all operations. + * [x] Document special cases and exceptions. + * [x] Create visual representation of permission system. **Day 2: RBAC Middleware Implementation**