Multi‐Institute Admin Support - liferesearchapp/life-research-members-portal GitHub Wiki
Handling Multiple Institutes' Admins
The application ensures that administrative rights and access are appropriately managed across multiple institutes. This involves both frontend and backend strategies to effectively control and restrict administrative functionalities based on the user's roles and associations with institutes.
Database Changes:- Account Model Updates:
- The addition of the
is_super_adminand removal of theis_admincolumn emphasize the introduction of more flexible and powerful administrative roles across the portal.
| Field | Type | Description |
|---|---|---|
| id | Int | Unique identifier for each account, autoincremented. |
| login_email | String | Unique login email address. |
| microsoft_id | String? | Optional Microsoft ID. |
| first_name | String | First name of the user. |
| last_name | String | Last name of the user. |
| last_login | DateTime? | Date and time of the last login, optional. |
| is_super_admin | Boolean | Flag indicating whether the user is a superadmin with overarching administrative rights. |
| instituteAdmin | instituteAdmin[] | List of institute admin roles associated with the account, allowing for institute-specific admin privileges. |
| member | member? | Optional member association. |
Changes:
- The
is_adminfield has been removed to phase out the single-institute admin roles. - Introduced
is_super_adminfor administrative authority across all institutes. - Added
instituteAdminto manage roles that are specific to each institute.
InstituteAdmin Model:
- Manages the relationship between institute admins and their respective institutes and accounts, facilitating targeted and effective administrative control within specific institutes.
| Field | Type | Description |
|---|---|---|
| memberId | Int | ID of the member. |
| instituteId | Int | ID of the institute. |
| accountId | Int | ID of the account. |
| account | account | Relation to the account (foreign key reference). |
| institute | institute | Relation to the institute (foreign key reference). |
| member | member | Relation to the member (foreign key reference). |
| @@id | [accountId, instituteId] | Composite key of accountId and instituteId. |
These tables provide a clear overview of each model's attributes and their roles within the database schema.
Frontend Changes
Super Admin in Authorization File
We've extended the Authorizations enum to include roles specific to our multi-institute context, such as superAdmin. This role is crucial for users who have overarching administrative privileges across all institutes.
Exposed Hooks for Role Management
Two critical hooks, useAdminDetails and useSuperAdminDetails, are exposed to the entire application. These hooks allow components to easily determine the user's administrative level and render UI elements accordingly.
useAdminDetails Hook
This hook determines whether the current user is an admin of the selected institute by checking the instituteAdmin relationships of their account.
useSuperAdminDetails Hook
This hook checks if the current user holds super admin privileges, which would allow them to manage settings and data across all institutes.
Backend Authentication
Permissions Check on Product Actions
To ensure that administrative privileges are correctly enforced on the backend, permissions are checked whenever a product-related action is requested, such as editing product information.
Steps for Permission Verification:
-
Institute Admin Check:
- The system fetches the institutes associated with the product and verifies if the current user is an admin for any of these institutes.
-
Product Ownership Check:
- It is also checked whether the user is the creator of the product, which would grant them the rights to manage it.
-
Authorization Decision:
- The final authorization check combines the user's super admin status, institute admin rights, and product ownership to determine if they are authorized to proceed with the requested action.
If the user does not meet any of these conditions, they are returned an unauthorized response. This ensures that administrative actions are securely managed and only accessible to users with the appropriate authorization levels, safeguarding the integrity of institute-specific data.