There is currently only one access level. Ideally, we need at least 2 tiers of access. These would be (1) admin, (2) staff. All users can create QR codes, but staff cannot manage other users. Admins can add and remove staff users.
This will involve
Updating the Mongoose User schema to have a role property, which can have the value 'admin' or 'staff'. Note that we're using passport-local-mongoose to manage users and authentication.
Routes for listing/viewing/creating/removing staff should be added to the admin router. These should be authorized so that only users with the 'admin' role can access these routes.
The admin UI should be updated accordingly so that 'admin' level users can view all users, view a specific user, add a user, and delete a user. Follow the current UI pattern, i.e. just use static html pages and html forms.
tyleryasaka
commented
4 years ago
There is currently only one access level. Ideally, we need at least 2 tiers of access. These would be (1) admin, (2) staff. All users can create QR codes, but staff cannot manage other users. Admins can add and remove staff users.
This will involve
roleproperty, which can have the value 'admin' or 'staff'. Note that we're using passport-local-mongoose to manage users and authentication.