-
Notifications
You must be signed in to change notification settings - Fork 15
Registration scope
The scope feature has been introduced to facilitate access control within the 121 platform. This allows for assigning access to registrations based on geographical or organizational units. The scope field has been added to the aidworker assignment per program and registrations.
First of all, scope only has effect if scope is enabled for a program. This is assumed in the remainder.
The scope is stored as a string that represents the geographical or organizational unit that a user has access to. This can be a whole region or a specific part of a region. Here are some examples:
| Scope | Description |
|---|---|
zeeland.middelburg |
Access to only the "Middelburg" area within "Zeeland" |
zeeland.goes |
Access to only the "Goes" area within "Zeeland" |
zeeland |
Access to the whole "Zeeland" region (so includes "Goes" + "Middelburg") |
limburg.maastricht |
Access to only the "Maastricht" area within "Limburg" |
utrecht.red-cross |
Access to only the "Red Cross"-organization in "Utrecht" |
Registrations would typically have the lowest level of scope in a program, while aid-workers can be assigned to have any level of hierarchy. If you want to view or modify entities, you can only do so for entities that have the same scope as you. For example, a registration with the scope "limburg.maastricht" can be modified by an aid worker that has been assigned the scope "limburg.maastricht" or the scope "limburg" or by an aid-worker that has not been assigned a scope (i.e. "scope: ''").
| Registration (name+scope) | Aid-Worker "Goes" |
Aid-Worker "Zeeland" |
Aid-Worker ''
|
|---|---|---|---|
Person A (zeeland.middelburg) |
🚫 | ✅ | ✅ |
Person B (zeeland.goes) |
✅ | ✅ | ✅ |
Person C (utrecht) |
🚫 | 🚫 | ✅ |
Person D ( ) |
🚫 | 🚫 | ✅ |
When an entity is created, the same scope field is applied to it. This means that when a registration, note, or transaction is created, they have the same scope field as the registration to which it is related.
In summary, the scope feature is a powerful tool for managing access control within the system. It allows for granular control over who can access what resources, based on geographical or organizational units (or anything else that can be (hierarchically) named/defined).
Custom made repositories and NestJs request scope are used to ensure that users cannot access data out of their scope. On any request by the user their scope is attached to the request and accessible in the custom made repositories. This scope is than used to join data to the RegistrationEntity and filter on scope
To use scope when dealing with the RegistrationEntity you can use the RegistrationScopedRepository
To use scope when accessing data that is related to the RegistrationEntity You can use the base class ScopedRepository to either:
- Create a custom repository which is an extension of
ScopedRepositoryclass. To this class you can add additional custom functionality. - Or you can choose to just use the 'basic' typeorm Repository functionality. Than you can use the method
createScopedRepositoryProvider - Directly related Entities to RegistrationEntities work out of the box. For indirectly related entities you need to edit the
indirectRelationConfigin theScopedRepositoryclass