search

GEWIS / sudosos-backend

SudoSOS is a Node.js-based Bar and POS system made for study association GEWIS.
https://sudosos.gewis.nl
GNU Affero General Public License v3.0
6 stars 3 forks source link

Better permissions #170

Closed SuperVK closed 2 months ago

SuperVK commented 5 months ago

A few questions that need answers:

  1. Should all BAC be able to edit transactions? (or only view them?)
  2. Should Board be able to admin all users? (or only view them?)
  3. Should all BAC be able to see all users? (and also edit them?)
  4. Feel free to add more.

Furthermore -> Frontend should implement the permissions that the backend lays out, to prevent security through obsecurity, and make it clear what the current permissions are.

Goal of this issue: Answers these questions and implement them in the backend.

SuperVK commented 3 months ago

Okay from my part:

  1. BAC can see (and edit) transactions made by users, but cannot see the users themselves, what is the use of this?
  2. I think should Board should have permissions to see all users, in case the BAC PM is not available to check certain things, I think it is nice to have the board as feedback.
  3. I don't see the use of the whole BAC seeing all of the users, like is the case right now.
  4. I cannot make a payoutrequest as a regular user? Should that not be changed?
SuperVK commented 3 months ago

Concensus seems towards: BAC role can be removed, Seller role will receive more permissions, such as the creation of product, and the assigning of products to containers. Creation of containers and POS' will stay at the BAC PM.