Backend
Modify our existing API to use User data to determine permissions for routes. Employ Role-Based Access Control to existing endpoints, only create new endpoints if absolutely necessary.
Admin:
All Permissions
Non-admin / Teachers:
- Section Controller
- Can only perform GET actions on assigned sections
- Cannot perform any mutating operations (create, edit, delete, etc.)
- Session Controller
- Can only perform GET actions on assigned sessions
- Cannot perform any mutating operations
- Student Controller
- Can only perform GET actions on students in assigned sections
- Cannot perform create, delete, archive actions
- Can only perform editing actions on students in assigned sections, but only for specific fields. Needed for notes, post/pre-assessment
- Attendance Controller
- All permissions on attendances for assigned sections
- User Controller
- Only allow WhoAmI API calls, no other permissions
Frontend
Use User role for conditional rendering
Admin View:
Match Figma
Non-admin / Teacher View:
- Remove staff page from navbar, restrict teacher access to page
- Remove access to mutating action forms on Programs and Students pages (they wont work anyway)
- Note: shouldn't need to modify API calls on the frontend, assuming no new routes
Figma
Backend
Modify our existing API to use User data to determine permissions for routes. Employ Role-Based Access Control to existing endpoints, only create new endpoints if absolutely necessary.
Admin:
All Permissions
Non-admin / Teachers:
Frontend
Use User role for conditional rendering
Admin View:
Match Figma
Non-admin / Teacher View:
Figma