# Role-Based Access Control (RBAC)

## Role Definitions

| Role ID | Name | Route Prefix | Permissions |
|---------|------|--------------|-------------|
| 0 | Superuser | `/superuser` | Full access + Users CRUD |
| 1 | Admin | `/admin` | Full access + Users CRUD |
| 2 | Lab | `/lab` | Request validation, Sample collection |
| 3 | Phlebo | `/phlebo` | Specimen collection, Dashboard |
| 4 | CS | `/cs` | Dashboard, Status Monitoring, Patient Inquiry |

## Route Filtering

### Role Filter
```php
// Single role
['filter' => 'role:1']

// Multiple roles
['filter' => 'role:1,2']
```

### Filter Usage

**app/Filters/RoleFilter.php**
- Checks `session()->get('isLoggedIn')` - redirects to `/login` if not logged in
- Checks role ID against allowed roles from route arguments
- Redirects to `/unauthorized` if role not authorized

**app/Filters/GuestFilter.php**
- Redirects logged-in users to role-based dashboard
- Use for public-only routes (e.g., `/login`)

## Route Prefixes & Controllers

### Superuser (Role 0)
- `/superuser` - Pages\SuperuserController::index
- `/superuser/users` - Pages\SuperuserController::users
- `/superuser/validate` - Pages\SuperuserController::validatePage

### Admin (Role 1)
- `/admin` - Pages\AdminController::index
- `/admin/users` - Pages\AdminController::users
- `/admin/validate` - Pages\AdminController::validationPage

### Lab (Role 2)
- `/lab` - Pages\LabController::index
- `/lab/validate` - Pages\LabController::validationPage

### Phlebo (Role 3)
- `/phlebo` - Pages\PhlebotomistController::index

### CS (Role 4)
- `/cs` - Pages\CsController::index

## Validation System (Dual-Level)

Validation requires 2 different users to validate the same request:

**First Validation:**
- Sets `ISVAL1=1`
- Records `VAL1USER` (username)
- Records `VAL1DATE` (datetime)

**Second Validation (different user):**
- Sets `ISVAL2=1`
- Records `VAL2USER` (username)
- Records `VAL2DATE` (datetime)

**Validation Permission:**
- Available to Role 0, 1, 2 (Superuser, Admin, Lab)

## Unvalidation
- Available to Role 0, 1 (Superuser, Admin)
- Sets `ISVAL1=0` and `ISVAL2=0`, clears validation user/date fields

## Authentication Flow

1. **AuthController::login()** - Verifies credentials against `GDC_CMOD.dbo.USERS`, sets session
2. **RoleFilter** - Runs on protected routes, checks `session()->get('isLoggedIn')` and role ID
3. **GuestFilter** - Runs on public routes, redirects logged-in users to dashboard

## API Endpoint Permissions

### Users Management
- **Access**: Role 0, 1 (Superuser, Admin)
- **Endpoints**: GET, POST, PATCH, DELETE on `/api/users`

### Requests
- **Access**: Role 0, 1, 2, 3, 4 (All Roles)
- **Endpoints**: 
  - `GET /api/requests` - Dashboard data
  - `POST /api/requests/validate/:id` - Validate request
  - `DELETE /api/requests/validate/:id` - Unvalidate request
  - `GET /api/requests/:id/audit` - Audit trail

### Samples
- **Access**: All Roles for collect/show
- **Unreceive**: Role 0, 1 only
- **Endpoints**:
  - `POST /api/samples/collect/:accessnumber` - Mark sample collected
  - `GET /api/samples/:accessnumber` - Show sample info
  - `DELETE /api/samples/receive/:accessnumber` - Unreceive sample