Skip to content

Permissions handling#54

Open
OrigamiStarz wants to merge 24 commits intomainfrom
permissions-handling
Open

Permissions handling#54
OrigamiStarz wants to merge 24 commits intomainfrom
permissions-handling

Conversation

@OrigamiStarz
Copy link
Copy Markdown
Contributor

@OrigamiStarz OrigamiStarz commented Apr 24, 2026
edited
Loading

Summary

Resolves #37

Implements Role-Based Access Control (RBAC) across the backend API and frontend UI, scoping
what admins vs. teachers can see and do.

Link to permissions doc: Google Doc

Changes

Backend

New middleware

  • attachUserContext.ts — fetches the authenticated user's MongoDB document after token
    verification and attaches it to req.userContext for downstream use
  • requireAdmin.ts — reusable middleware that short-circuits non-admin requests with a 403
  • permissions.ts — shared helpers (hasStudentAccess, hasSectionAccess,
    TEACHER_EDITABLE_STUDENT_FIELDS, TEACHER_STUDENT_PROJECTION) for consistent permission
    checks across controllers
  • app.ts — wired attachUserContext into all /api/* route groups

Controllers updated

Resource Admin Teacher
Sections Full CRUD Read own sections only
Sessions Full CRUD Read/view sessions for their sections only
Students Full CRUD, all fields Read/edit own-section students; limited fields only (comments, preassessmentScore, postassessmentScore)
Attendance Full CRUD Read/update attendance for their sections only
Users Look up any user Look up self only

Frontend

  • Conditional rendering based on isAdmin from AuthContext
  • New AdminRoute component guards admin-only pages
  • Navbar hides admin-only links for non-admin users
  • API calls updated to handle scoped responses (e.g. filtered enrolledSections for teachers)
  • StudentStaffPage, StudentEditForm, StudentTabs, SectionCard, StudentCard all
    updated to respect role context

Testing

  • Tested API endpoints from the frontend using accounts with different roles (admin, teacher)
  • Used the test page to test all the APIs in each of the five controllers
  • Confirmed admin accounts receive full unfiltered data
  • Confirmed teacher accounts receive filtered students, sections, sessions, and attendance

Confirmation of Change

Admin

Screenshot 2026-05-05 at 2 07 53 AM
Screen.Recording.2026-05-05.at.2.08.42.AM.mov

Non-Admin

Screenshot 2026-05-05 at 2 31 50 AM
Screen.Recording.2026-05-05.at.2.32.18.AM.mov
Screen.Recording.2026-05-05.at.2.36.32.AM.mov

@OrigamiStarz OrigamiStarz requested a review from mraysu as a code owner April 24, 2026 09:08
@OrigamiStarz OrigamiStarz marked this pull request as draft April 24, 2026 09:08
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 24, 2026
edited
Loading

Visit the preview URL for this PR (updated for commit b8809bb):

https://meemli-dev--pr54-permissions-handling-rqcyq9k8.web.app

(expires Wed, 13 May 2026 02:42:39 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: 633a893569aee98f762f025e27aa080a469727e1

@Rohaansandhu Rohaansandhu marked this pull request as ready for review May 6, 2026 02:52
@mraysu mraysu requested review from thomas-rocha May 8, 2026 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mraysu mraysu Awaiting requested review from mraysu mraysu is a code owner

@thomas-rocha thomas-rocha Awaiting requested review from thomas-rocha

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MVP Permissions Handling and Specific Role Views

2 participants

@OrigamiStarz @Rohaansandhu