Currently, our frontend code restricts views / buttons based on user role. However, some of our backend API routes are not protected.
Add authorization to our backend API routes that don't already have it. Most GET API endpoints already have protection. For instance, Volunteer/Recipients only see limited information about a dog. A lot of the action API routes are missing authorization. For instance, only Admin + Managers should be able to delete dogs.
Authorization is based on user role and/or association. You can get a user's association with a dog using our backend utility function! Try to organize your auth logic into a function that can be reused across all our API routes.
Here are the rules, if you are unsure of a rule ✨ ASK LEADERSHIP ✨.
Roles:
Manager
Mark logs as resolved (auth already implemented in PATCH /api/logs)
Edit all dogs, delete all dogs, create dogs
Change anyone roles (except other managers)
Create logs, delete own logs, edit own logs (edge case is when they are resolving a log. In that case, they can edit the resolved property of anyone's log)
create (invite) users
Admin
Edit all dogs, delete all dogs, create dogs
Can change User to Admin role
Create logs, delete own logs, edit own logs
Associations:
Instructor/Caregiver
edit associated dog info
create logs for associated dog, edit own logs for associated dog, delete own logs for associated log
Volunteer/Recipient
Edit their own name
Create logs, edit, and delete logs for dogs they are associated with
Description
Currently, our frontend code restricts views / buttons based on user role. However, some of our backend API routes are not protected.
Add authorization to our backend API routes that don't already have it. Most
GET
API endpoints already have protection. For instance, Volunteer/Recipients only see limited information about a dog. A lot of the action API routes are missing authorization. For instance, only Admin + Managers should be able to delete dogs.Authorization is based on user
role
and/orassociation
. You can get a user's association with a dog using our backend utility function! Try to organize your auth logic into a function that can be reused across all our API routes. Here are the rules, if you are unsure of a rule ✨ ASK LEADERSHIP ✨. Roles: ManagerPATCH /api/logs
)resolved
property of anyone's log)Admin
Associations: Instructor/Caregiver
Volunteer/Recipient