Skip to content

Commit 39501df

Browse files
fullenifulleni
committed
feat(user): enhance user model permissions
- Add create user permission for admins - Implement update and delete permissions for both admins and regular users - Add detailed comments explaining the permission logic
1 parent fc79dae commit 39501df

File tree

1 file changed

+13
-2
lines changed

1 file changed

+13
-2
lines changed

lib/src/registry/model_registry.dart

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -281,17 +281,28 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
281281
requiresOwnershipCheck: true, // Must be the owner
282282
requiresAuthentication: true,
283283
),
284+
// Admins can create users via the data endpoint.
285+
// User creation via auth routes (e.g., sign-up) is separate.
284286
postPermission: const ModelActionPermission(
285-
type: RequiredPermissionType
286-
.unsupported, // User creation handled by auth routes
287+
type: RequiredPermissionType.specificPermission,
288+
permission: Permissions.userCreate,
287289
requiresAuthentication: true,
288290
),
291+
// An admin can update any user's roles.
292+
// A regular user can update specific fields on their own profile
293+
// (e.g., feedDecoratorStatus), which is handled by the updater logic
294+
// in DataOperationRegistry. The ownership check ensures they can only
295+
// access their own user object to begin with.
289296
putPermission: const ModelActionPermission(
290297
type: RequiredPermissionType.specificPermission,
291298
permission: Permissions.userUpdateOwned, // User can update their own
292299
requiresOwnershipCheck: true, // Must be the owner
293300
requiresAuthentication: true,
294301
),
302+
// An admin can delete any user.
303+
// A regular user can delete their own account.
304+
// The ownership check middleware is bypassed for admins, so this single
305+
// config works for both roles.
295306
deletePermission: const ModelActionPermission(
296307
type: RequiredPermissionType.specificPermission,
297308
permission: Permissions.userDeleteOwned, // User can delete their own

0 commit comments

Comments
 (0)