mahdahar/gdc_cmod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gdc_cmod/.serena/memories/rbac_system.md

3.1 KiB
Raw Blame History

Role-Based Access Control (RBAC)

Role Definitions

Role ID Name Route Prefix Permissions
0 Superuser /superuser Full access + Users CRUD
1 Admin /admin Full access + Users CRUD
2 Lab /lab Request validation, Sample collection
3 Phlebo /phlebo Specimen collection, Dashboard
4 CS /cs Dashboard, Status Monitoring, Patient Inquiry

Route Filtering

Role Filter

// Single role
['filter' => 'role:1']

// Multiple roles
['filter' => 'role:1,2']

Filter Usage

app/Filters/RoleFilter.php

  • Checks session()->get('isLoggedIn') - redirects to /login if not logged in
  • Checks role ID against allowed roles from route arguments
  • Redirects to /unauthorized if role not authorized

app/Filters/GuestFilter.php

  • Redirects logged-in users to role-based dashboard
  • Use for public-only routes (e.g., /login)

Route Prefixes & Controllers

Superuser (Role 0)

  • /superuser - Pages\SuperuserController::index
  • /superuser/users - Pages\SuperuserController::users
  • /superuser/validate - Pages\SuperuserController::validatePage

Admin (Role 1)

  • /admin - Pages\AdminController::index
  • /admin/users - Pages\AdminController::users
  • /admin/validate - Pages\AdminController::validationPage

Lab (Role 2)

  • /lab - Pages\LabController::index
  • /lab/validate - Pages\LabController::validationPage

Phlebo (Role 3)

  • /phlebo - Pages\PhlebotomistController::index

CS (Role 4)

  • /cs - Pages\CsController::index

Validation System (Dual-Level)

Validation requires 2 different users to validate the same request:

First Validation:

  • Sets ISVAL1=1
  • Records VAL1USER (username)
  • Records VAL1DATE (datetime)

Second Validation (different user):

  • Sets ISVAL2=1
  • Records VAL2USER (username)
  • Records VAL2DATE (datetime)

Validation Permission:

  • Available to Role 0, 1, 2 (Superuser, Admin, Lab)

Unvalidation

  • Available to Role 0, 1 (Superuser, Admin)
  • Sets ISVAL1=0 and ISVAL2=0, clears validation user/date fields

Authentication Flow

  1. AuthController::login() - Verifies credentials against GDC_CMOD.dbo.USERS, sets session
  2. RoleFilter - Runs on protected routes, checks session()->get('isLoggedIn') and role ID
  3. GuestFilter - Runs on public routes, redirects logged-in users to dashboard

API Endpoint Permissions

Users Management

  • Access: Role 0, 1 (Superuser, Admin)
  • Endpoints: GET, POST, PATCH, DELETE on /api/users

Requests

  • Access: Role 0, 1, 2, 3, 4 (All Roles)
  • Endpoints:
    • GET /api/requests - Dashboard data
    • POST /api/requests/validate/:id - Validate request
    • DELETE /api/requests/validate/:id - Unvalidate request
    • GET /api/requests/:id/audit - Audit trail

Samples

  • Access: All Roles for collect/show
  • Unreceive: Role 0, 1 only
  • Endpoints:
    • POST /api/samples/collect/:accessnumber - Mark sample collected
    • GET /api/samples/:accessnumber - Show sample info
    • DELETE /api/samples/receive/:accessnumber - Unreceive sample