Conversation
arnavjk007
left a comment
arnavjk007
left a comment
There was a problem hiding this comment.
This is a good starting point, but we need to also implement the permissions and a getSession() function that can be called from all services which will return true or false if they are allowed to use that service. For example, a viewer should NOT be able to delete items or listings so if they call a DELETE api for those services, it should not work since our getSession() will say that they do not have perms. More detailsare in the notion task
lib/rbac.ts
Outdated
| } | ||
|
|
||
| await connectToDatabase(); | ||
| const user = await User.findOne({ email: session.user.email }); |
There was a problem hiding this comment.
If we do use the User schema, how would we verify that the person is from UCSD? The Google sign in was one way, but we may have to modify the User DB as well to verify that the user is from UCSD.
There was a problem hiding this comment.
also add .lean() at the end
models/User.ts
Outdated
| first: string; | ||
| last: string; | ||
| }; | ||
| permissions: Role[]; |
There was a problem hiding this comment.
we can have this as role: Role
models/User.ts
Outdated
| // mongoose schema to valid the data | ||
| const userSchema = new Schema<IUser>({ | ||
|
|
||
| ucsdId: { type: String }, // ucsd pid |
There was a problem hiding this comment.
needs some restrictions like this:
ucsdId: { type: String, required: true, unique: true },
models/User.ts
Outdated
|
|
||
| labs: [ | ||
| { | ||
| labId: { type: String, required: true }, |
There was a problem hiding this comment.
We have a labs table so this should be, labId: { type: Schema.Types.ObjectId, ref: "Lab", required: true },
models/User.ts
Outdated
| notificationPreferences: { // default notification preferences | ||
| email: { type: Boolean, default: true }, | ||
| inApp: { type: Boolean, default: true }, | ||
| sms: { type: Boolean, default: true }, |
There was a problem hiding this comment.
we can turn off sms by default
models/User.ts
Outdated
| safety: { | ||
| trainingCompleted: string[]; | ||
| clearanceLevel: string; | ||
| lastReviwedAt: Date; |
models/User.ts
Outdated
|
|
||
| // describes what one lab membership looks like | ||
| export interface ILabMembership { | ||
| labId: string; |
There was a problem hiding this comment.
we have a lab schema and table so it should reference that like: labId: { type: Schema.Types.ObjectId, ref: "Lab", required: true },
lib/rbac.ts
Outdated
| const session = await auth(); | ||
|
|
||
| if (!session?.user?.email) { | ||
| return { allowed: false, user: null }; |
There was a problem hiding this comment.
is it possible to add a "reason" field so when there is an error we know why it erroed? like here its unauthenticated
arnavjk007
left a comment
arnavjk007
left a comment
There was a problem hiding this comment.
Some changes to user schema to check for @UCSD in email. Also add unit tests for the user creation, deletion.. etc. Remember to do git pull from main and git merge main before doing unit tests.
Also major change, we need GET POST PUT and DELETE for users so we would have to create a service file and route file like:
app/api/user/route.ts & services/user/uses.ts
| import mongoose, { Schema, Document, Types } from "mongoose"; | ||
|
|
||
| export type Role = "PI" | "LAB_MANAGER" | "RESEARCHER" | "VIEWER"; | ||
|
|
There was a problem hiding this comment.
nit: we can have this setup for status as well like export type Status = "ACTIVE" | "INACTIVE" | "SUSPENDED";
| department: string; | ||
| phone: string; | ||
| } | ||
| status: "ACTIVE" | "INACTIVE" | "SUSPENDED"; |
| const userSchema = new Schema<IUser>({ | ||
|
|
||
| ucsdId: { type: String, required: true, unique: true }, // ucsd pid | ||
| email: { type: String, required: true, unique: true }, // ucsd email |
There was a problem hiding this comment.
We should check here if the email is @UCSD domain by using regex and match like this:
email: {
type: String,
required: true,
unique: true,
lowercase: true,
trim: true,
match: [/^\S+@ucsd.edu$/, "Must be a valid UCSD email (@ucsd.edu)"],
},
| { | ||
| timestamps: true, | ||
| }); | ||
|
|
There was a problem hiding this comment.
Let's also add a index so we can query by labId and get all users in that lab.
userSchema.index({ "labs.labId": 1 });
2 participants
Describe your changes
Implements role-based access control system to assign users the right roles that contain the right permissions.
Issue ticket number and link
#10
Checklist before requesting a review