mahdahar/gdc_cmod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gdc_cmod/.serena/memories/rbac_system.md

105 lines
3.1 KiB
Markdown
Raw Blame History

# Role-Based Access Control (RBAC)
## Role Definitions
| Role ID | Name | Route Prefix | Permissions |
|---------|------|--------------|-------------|
| 0 | Superuser | `/superuser` | Full access + Users CRUD |
| 1 | Admin | `/admin` | Full access + Users CRUD |
| 2 | Lab | `/lab` | Request validation, Sample collection |
| 3 | Phlebo | `/phlebo` | Specimen collection, Dashboard |
| 4 | CS | `/cs` | Dashboard, Status Monitoring, Patient Inquiry |
## Route Filtering
### Role Filter
```php
// Single role
['filter' => 'role:1']
// Multiple roles
['filter' => 'role:1,2']
```
### Filter Usage
**app/Filters/RoleFilter.php**
- Checks `session()->get('isLoggedIn')` - redirects to `/login` if not logged in
- Checks role ID against allowed roles from route arguments
- Redirects to `/unauthorized` if role not authorized
**app/Filters/GuestFilter.php**
- Redirects logged-in users to role-based dashboard
- Use for public-only routes (e.g., `/login`)
## Route Prefixes & Controllers
### Superuser (Role 0)
- `/superuser` - Pages\SuperuserController::index
- `/superuser/users` - Pages\SuperuserController::users
- `/superuser/validate` - Pages\SuperuserController::validatePage
### Admin (Role 1)
- `/admin` - Pages\AdminController::index
- `/admin/users` - Pages\AdminController::users
- `/admin/validate` - Pages\AdminController::validationPage
### Lab (Role 2)
- `/lab` - Pages\LabController::index
- `/lab/validate` - Pages\LabController::validationPage
### Phlebo (Role 3)
- `/phlebo` - Pages\PhlebotomistController::index
### CS (Role 4)
- `/cs` - Pages\CsController::index
## Validation System (Dual-Level)
Validation requires 2 different users to validate the same request:
**First Validation:**
- Sets `ISVAL1=1`
- Records `VAL1USER` (username)
- Records `VAL1DATE` (datetime)
**Second Validation (different user):**
- Sets `ISVAL2=1`
- Records `VAL2USER` (username)
- Records `VAL2DATE` (datetime)
**Validation Permission:**
- Available to Role 0, 1, 2 (Superuser, Admin, Lab)
## Unvalidation
- Available to Role 0, 1 (Superuser, Admin)
- Sets `ISVAL1=0` and `ISVAL2=0`, clears validation user/date fields
## Authentication Flow
1. **AuthController::login()** - Verifies credentials against `GDC_CMOD.dbo.USERS`, sets session
2. **RoleFilter** - Runs on protected routes, checks `session()->get('isLoggedIn')` and role ID
3. **GuestFilter** - Runs on public routes, redirects logged-in users to dashboard
## API Endpoint Permissions
### Users Management
- **Access**: Role 0, 1 (Superuser, Admin)
- **Endpoints**: GET, POST, PATCH, DELETE on `/api/users`
### Requests
- **Access**: Role 0, 1, 2, 3, 4 (All Roles)
- **Endpoints**:
- `GET /api/requests` - Dashboard data
- `POST /api/requests/validate/:id` - Validate request
- `DELETE /api/requests/validate/:id` - Unvalidate request
- `GET /api/requests/:id/audit` - Audit trail
### Samples
- **Access**: All Roles for collect/show
- **Unreceive**: Role 0, 1 only
- **Endpoints**:
- `POST /api/samples/collect/:accessnumber` - Mark sample collected
- `GET /api/samples/:accessnumber` - Show sample info
- `DELETE /api/samples/receive/:accessnumber` - Unreceive sample
Reference in New Issue View Git Blame Copy Permalink