Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


The data in the Voluntari.ly system must have integrity, security, privacy.

Access to the data through the service api must implement the following access rules


Access is controlled by the identity and Role of the user

User Roles

RoleMeans
anonperson is not signed in. They can view various parts of the site but cannot change anything.  Most clicks will prompt them to register and sign in.
allall signed in users, they can browse more of the site create opportunties and manage their personal profile.
vpvolunteer time provider - i.e a volunteer, person who is interested in an opportunity. They can view opportunities in summary and detail form, show interest and communicate with the op-provider. by default everyone is a vp
opOpportunity provider - e.g a teacher. person who creates and manages an opportunity.
apActivity provider / content provider, can create and manage activities.
testercan see debug and analytics pages
adminoperational admin, can do almost everything through the UI
org-adminCan manage an organisation, its members and can set an approval process for listings
ownerThe specific person responsible for a record e.g a personal profile, opportuntity etc.


Archived Opportunities

RoleActionPermissionsFieldsMethod + Route
anonlistView all archived opportunities with status "Completed"id, name, subtitle, img_url, duration
GET /api/archivedOpportunities
anonreadView individual archived opportunity records with status "Completed"allGET /api/archivedOpportunities/:id
anoncreateNo accessn/an/a
anonupdateNo accessn/an/a
anondeleteNo accessn/an/a
alllistView all archived opportunities with status "Completed"id, name, subtitle, img_url, durationGET /api/archivedOpportunities
allreadView individual archived opportunity records with status "Completed"allGET /api/archivedOpportunities/:id
allcreateNo accessn/an/a
allupdateNo accessn/an/a
alldeleteNo accessn/an/a
adminlistView all archived opportunitiesid, name, subtitle, img_url, durationGET /api/archivedOpportunities
adminreadView individual archived opportunity recordsallGET /api/archivedOpportunities/:id
admincreateCan create recordsallPOST /api/archivedOpportunities
adminupdateCan update recordsallPUT /api/archivedOpportunities/:id
admindeleteCan delete recordsallDELETE /api/archivedOpportunities/:id

Interests

RoleActionPermissionsFieldsMethod + Route
anonlistNo accessn/aGET /api/interests
anonreadNo accessn/aGET /api/interests/:id
anoncreateNo accessn/aPOST /api/interests
anonupdateNo accessn/aPUT /api/interests/:id
anondeleteNo accessn/aDELETE /api/interests/:id
volunteerlistCan list own interest recordsAllGET /api/interests
volunteerreadCan read own interest recordsAllGET /api/interests/:id
volunteercreateCan create own interest recordsopportunity, comment (all other fields set by default)POST /api/interests
volunteerupdateNo accessn/aPUT /api/interests/:id
volunteerdeleteCan delete own interest recordsn/aDELETE /api/interests/:id
oplistCan list interest records for their opportunitiesAllGET /api/interests
opreadCan read interest records for their opportunitiesAllGET /api/interests/:id
opcreateNo accessn/aPOST /api/interests
opupdateCan update status field of interest records for their opportunitiesstatusPUT /api/interests/:id
opdeleteNo accessn/aDELETE /api/interests/:id
org adminlistCan list interest records for the opportunities provided by their organisationAllGET /api/interests
org adminreadCan read interest records for the opportunities provided by their organisationAllGET /api/interests/:id
org admincreateNo accessn/aPOST /api/interests
org adminupdateCan update the status field of interest records for the opportunities provided by their organisationstatusPUT /api/interests/:id
org admindeleteNo accessn/aDELETE /api/interests/:id
adminlistCan list all interest records on the platformn/aGET /api/interests
adminreadCan read all interest records on the platformn/aGET /api/interests/:id
admincreateCan create interest recordsn/aPOST /api/interests
adminupdateCan update all interest records on the platformn/aPUT /api/interests/:id
admindeleteCan delete all interest records on the platformn/aDELETE /api/interests/:id

Interest archive

for their opportunitiesop for their opportunitiesopInterestsArchivedopstatusop

Role

Action

Permissions

Fields

Method + Route

anon

list

No access

n/a

GET /api/interestsArchived

anon

read

No access

n/a

GET /api/interestsArchived/:id

anon

create

No access

n/a

POST /api/InterestsArchived

anon

update

No access

n/a

PUT /api/interestsArchived/:id

anon

delete

No access

n/a

DELETE /api/interestsArchived/:idop

volunteerlistCan list their own interest archive recordsn/aGET /api/interestsArchived
volunteerreadCan read their own interest archive recordsn/aGET /api/interestsArchived/:id
volunteercreateNo accessn/aPOST /api/interestsArchived
volunteerupdate

Can update status field for interest archive records for their opportunities

No accessn/aPUT /api/interestsArchived/:id
volunteerdeleteNo accessn/aDELETE /api/interestsArchived/:id

org adminop

list

Can list interest archive records for the their opportunities provided by their organisation

n/a

GET /api/interestsArchived

org adminop

read

Can read interest archive records for the their opportunities provided by their organisation

n/a

GET /api/interestsArchived/:id

org adminop

create

No access

n/a

POST /api/InterestsArchived

org adminop

update

Can update status field for interest archive records for the their opportunities provided by their organisation

status

PUT /api/interestsArchived/:id

org adminop

delete

No access

n/a

DELETE /api/interestsArchived/:id

org admin

list

Can list all interest archive records for the opportunities provided by their organisation

n/a

GET /api/interestsArchived

org admin

read

Can read all interest archive records for the opportunities provided by their organisation

n/a

GET /api/interestsArchived/:id

org admin

createCan create interest archive records

No access

n/a

POST /api/InterestsArchived

org admin

update

Can update all status field for interest archive records n/afor the opportunities provided by their organisation

status

PUT /api/interestsArchived/:id

org admin

deleteCan delete all interest archive records

No access

n/a

DELETE /api/interestsArchived/:id

People

admin

RoleActionPermissionsFieldsMethod + RouteanonlistNo accessn/aGET /api/peopleanonreadNo access

list

Can list all interest archive records

n/a

GET /api/interestsArchived

admin

read

Can read all interest archive records

n/a

GET /api/

people

interestsArchived/:id

anon

admin

create

No access

Can create interest archive records

n/a

POST /api/

people

InterestsArchived

anon

admin

update

No access

Can update all interest archive records

n/a

PUT /api/

people

interestsArchived/:id

anon

admin

delete

No access

Can delete all interest archive records

n/a

DELETE /api/

people

interestsArchived/:id

vp

Member

Role

list

List all people 1

See note 2

Action

Permissions

Fields

Method + Route

anon

list

No access

n/a

GET /api/

people

members

vpSee note 2

anon

read

Can read any person 1

Can be indirectly provided with contact details for a vp via an interested record in invited state

No access

n/a

GET /api/

people

members/:id

vp

anon

create

No access

n/a

POST /api/

people

members

vp

anon

update

No access

n/a

PUT /api/

people

members/:id

vp

anon

delete

No access

n/a

DELETE /api/

people

members/:id

opSee note 2

all

list

List all people 1

Can list their own member records

n/a

GET /api/

people

members

op

all

read

Can read

any person 1See note 2

their own member records

n/a

GET /api/

people

members/:id

opn/a

all

create

No access

Can create their own member records with certain statuses

status (follower, joiner, validator), person (only themselves)

POST /api/

people

members

opn/a

all

update

No access

Can update their own member records with certain statuses

status (none, follower, joiner, validator, exmember), person (only themselves)

PUT /api/

people

members/:id

op

all

delete

No access

n/a

DELETE /api/

people

members/:id

testerSee note 2

org admin

list

List all people 1

Can list member records for their organisations

n/a

GET /api/

people

members

tester

org admin

read

Can read

any person 1See note 2

member records for their organisations

n/a

GET /api/

people

members/:id

tester

org admin

create

No access

Can create member records for their organisations

n/a

POST /api/

people

members

tester

org admin

update

Can update

any person

member records for their organisations

n/a

PUT /api/

people

members/:id

tester

org admin

delete

No access

n/a

DELETE /api/

people

members/:id

org

admin

list

List all people 1See note 2

Can list all member records

n/a

GET /api/

people

members

org

admin

read

Can read

any person 1See note 2

all member records

n/a

GET /api/

people

members/:id

org

admin

create

No access

Can create member records

n/a

POST /api/

people

members

org

admin

update

Can update

any personAny field can be updated

all member records

n/a

PUT /api/

people

members/:id

org

admin

delete

No access

Can delete all member records

n/a

DELETE /api/

people

members/:id

admin

People

All fields
RoleActionPermissionsFieldsMethod + Route
anonlistCan list all peopleNo accessn/aGET /api/people
adminanonreadCan read any personAll fieldsNo accessn/aGET /api/people/:id
adminanoncreateCan create new userAll fieldsNo accessn/aPOST /api/people
adminanonupdateCan update any personAll fields can be updatedNo accessn/aPUT /api/people/:id
adminanondeleteCan delete any person4No accessn/aDELETE /api/people/:id
ownervplist

List all

people

people 1

See note 2GET /api/people
ownervpread

Can read any personperson 1

Can be indirectly provided with contact details for a vp via an interested record in invited state

See note 2 and 3GET /api/people/:id
ownervpcreateNo accessn/aPOST /api/people
ownervpupdateCan only update their own record

Permitted to change:

  • name
  • nickname
  • about
  • location
  • phone
  • pronoun
  • language
  • website
  • facebook
  • twitter
  • education
  • sendEmailNotifications
  • role*
    • Only an ADMIN user can assign the ADMIN role to a user
    • Only an ADMIN user can assign the TESTER role to a user
    • All other role values can be assigned at this time – although this will need review
  • status
  • tags
  • teacher

Denied:

  • email
  • dateAddedNo access
    n/aPUT /api/people/:id
    vpdeleteNo accessn/aDELETE /api/people/:id
    oplistList all people 1See note 2GET /api/people
    opreadCan read any person 1See note 2GET /api/people/:id
    opcreateNo accessn/aPOST /api/people
    opupdateNo accessn/aPUT /api/people/:id
    owneropdeleteCan delete their own account4No accessn/aDELETE /api/people/:id

    Notes:

    1. VP-1264 is the card to limit the people returned from the list API. VP-1267 is to limit who can access the read API
    2. Standard non-owner people fields are a whitelist of:
      • id
      • nickname
      • language
      • name
      • status
      • avatar
      • about
      • role
      • pronoun
      • tags
      • facebook
      • website
      • twitter
    3. VP-1268 is a card to return all fields when the request is for the current user
    4. VP-1297 future work to anonymise user's data but keep their person record so that relationships are preserved for historical data and analytics

    Create (new person)

    Post /api/people/

    RoleCananonCan create one person by registering with a valid identityallcannot create peopletesterCan create new peopleadminCan create new peopleorg-adminCan create a list of new people from an uploaded data set.

    Read (single person)

    GET
    testerlistList all people 1See note 2GET /api/people
    testerreadCan read any person 1All fields can be readGET /api/people/:id
    testercreateNo accessn/aPOST /api/people
    testerupdateCan update any personn/aPUT /api/people/:id
    testerdeleteCan delete any personn/aDELETE /api/people/:id
    org adminlistList all people 1See note 2GET /api/people
    org adminreadCan read any person 1See note 2GET /api/people/:id
    org admincreateNo accessn/aPOST /api/people
    org adminupdateCan update any personAny field can be updatedPUT /api/people/:id
    Role
    org admin
    Can
    delete
    anon
    No access
    allCan browse a person's profile page but with contact details removedvpcan be indirectly provided with contact details for a vp via an interested record in invited stateopCan browse a person's full profile page if they are in the same organisationapCan browse a person's full profile page if they are in the same organisationadminfull accessorg-adminCan browse a person's full profile page if they are in the same organisationownerThe person matching the person ID can see all their profile details.

    Update

    PUT
    n/aDELETE /api/people/:id
    adminlistCan list all peopleAll fieldsGET /api/people
    adminreadCan read any personAll fieldsGET /api/people/:id
    Roleallno access to change people records
    admincreateCan create new user
    anonno access
    All fieldsPOST /api/people
    admin
    can
    update
    person's recordorg-admincan update person's recordownercan update their own record

    Delete

    DELETE

    Delete

    DELETE /api/opportunities/:id

    RoleCananonno accessallno accessadmincan remove a record by putting it into archived collectionorg-admincan remove a record by putting it into archived collection for their orgownercan change state to 'closed'
    Can update any personAll fields can be updatedPUT /api/people/:id

    Usually delete will not delete the record from the database but will mark it as unavailable.

    RoleCananonno accessallno accessadminCan delete a person, this will maintain the person_id record but replace all the PID information (email, name, avatar)  with anonymised placeholders so that historical records still work.org-admincan mark person as no longer in the organisation but not remove them.ownerA person can resign from the site and this will delete them as above for an admin.

    ## Create
    Person - Created when new person signs in - All
    Opportunity - all - but only into draft mode. May require org-admin approval to set active state
    Activity - ap,
    Organisation - Admin
    Interest - vp
    tag - all

    ## Read
    Person - All
    Opportunity - All+anon except in Draft mode - then only op-provider (op) and org-admin
    Activity - All+anon except in Draft mode - then only activity-provider (ap) and org-admin

    ## Update
    ## Delete
    In most cases Delete paths should be only available to Admin ( and some API keyholders)
    Also in most cases Delete should not remove a document but move it into a new state, or collection.

    Opportunities

    List

    GET /api/opportunities

    RoleCananoncan list ops with restrictions - (active, near future, and returns Card level info, no details). To see more they have to sign in.allcan list published ops and see full details ( published includes active and completed )admincan list ops in all statesorg-admincan list published and draft ops created by people in their org

    Create

    POST /api/opportunities

    RoleCananoncannot list peopleallcan list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.vpcan create opportunities of the 'offer' typeop

    can create opportunities of the 'request' type into draft state but may require org-admin permission to move to active.

    org is fixed to org of owner

    admincan create anythingorg-admincan create ops and move draft ops to published.

    Read

    GET /api/opportunities/:id

    RoleCananoncan see full details of the op, (must be active state) need to sign in to express interestallcan see full details of the active and completed opsadmincan see full details of ops in all statesorg-admincan see full details of ops in all states for ops created by people in their org.ownercan see full details of ops they own

    Update

    PUT /api/opportunities/:id

    RoleCananonno accessallcan list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.admincan update ops including state changeorg-admincan update ops including state change for ops created by people in their orgownercan update their own ops. cannot change org,
    admindelete

    Can delete any person4

    n/aDELETE /api/people/:id
    ownerlistList all people 1See note 2GET /api/people
    ownerread

    Can read any person

    See note 2 and 3GET /api/people/:id
    ownercreateNo accessn/aPOST /api/people
    ownerupdateCan only update their own record

    Permitted to change:

    • name
    • nickname
    • about
    • location
    • phone
    • pronoun
    • language
    • website
    • facebook
    • twitter
    • education
    • placeOfWork
    • job
    • sendEmailNotifications
    • role*
      • Only an ADMIN user can assign the ADMIN role to a user
      • Only an ADMIN user can assign the TESTER role to a user
      • All other role values can be assigned at this time – although this will need review
    • status
    • tags
    • teacher

    Denied:

    • email
    • dateAdded
    PUT /api/people/:id
    ownerdeleteCan delete their own account4n/aDELETE /api/people/:id

    Notes:

    1. VP-1264 is the card to limit the people returned from the list API. VP-1267 is to limit who can access the read API
    2. Standard non-owner people fields are a whitelist of:
      • id
      • nickname
      • language
      • name
      • status
      • avatar
      • about
      • language
      • imgUrl
      • role
      • pronoun
      • tags
      • facebook
      • website
      • twitter
      • sendEmailNotifications
    3. VP-1268 is a card to return all fields when the request is for the current user
    4. VP-1297 future work to anonymise user's data but keep their person record so that relationships are preserved for historical data and analytics


    ## Create
    Person - Created when new person signs in - All
    Opportunity - all - but only into draft mode. May require org-admin approval to set active state
    Activity - ap,
    Organisation - Admin
    Interest - vp
    tag - all

    ## Read
    Person - All
    Opportunity - All+anon except in Draft mode - then only op-provider (op) and org-admin
    Activity - All+anon except in Draft mode - then only activity-provider (ap) and org-admin

    ## Update
    ## Delete
    In most cases Delete paths should be only available to Admin ( and some API keyholders)
    Also in most cases Delete should not remove a document but move it into a new state, or collection.

    Opportunities

    RoleActionPermissionsFieldsMethod + Route
    anonlist

    Can list opportunities

    Restrictions: active, near future, and returns Card level info

    (To see more they have to sign in)

    • id
    • name,
    • subtitle
    • imgUrl
    • duration
    • date
    GET /api/opportunities
    anonread

    Can read any opportunity

    In general READ should have the same permissions as LIST

    • id
    • name,
    • subtitle
    • imgUrl
    • duration
    • date
    GET /api/opportunities/:id
    anoncreateNo accessn/aPOST /api/opportunities
    anonupdateNo accessn/aPUT /api/opportunities/:id
    anondeleteNo accessn/aDELETE /api/opportunities/:id
    vplistCan list published1 opportunities and see full detailsAll fieldsGET /api/opportunities
    vpreadCan see full details of the published1 opsAll fieldsGET /api/opportunities/:id
    vpcreateCan create opportunities of the 'offer' typen/aPOST /api/opportunities
    vpupdateNo accessn/aPUT /api/opportunities/:id
    vpdeleteNo accessn/aDELETE /api/opportunities/:id
    oplistCan list published1 opportunities and see full detailsAll fieldsGET /api/opportunities
    opreadCan see full details of the published1 opsAll fieldsGET /api/opportunities/:id
    opcreateCan create opportunities of the 'offer' typen/aPOST /api/opportunities
    opupdateNo accessn/aPUT /api/opportunities/:id
    opdeleteNo accessn/aDELETE /api/opportunities/:id
    adminlistAll opportunitiesAll fieldsGET /api/opportunities
    adminreadAny opportunityAll fieldsGET /api/opportunities/:id
    admincreateCan create any opportunityAll fieldsPOST /api/opportunities
    adminupdateCan update any opportunityAll fieldsPUT /api/opportunities
    admindelete

    Can delete any opportunity

    If an admin wishes to archive an opportunity they should PUT with the status field set to the COMPLETED or CANCELLED value

    n/aDELETE /api/opportunities/:id
    org adminlist

    Can list published and draft ops created by people in their org

    Can list all opportunities

    All fieldsGET /api/opportunities
    org adminreadCan list published1 opportunities and see full detailsAll fieldsGET /api/opportunities/:id
    org admincreateCan create opportunities

    All fields

    • offerOrg must be one of the current users organisations
    POST /api/opportunities
    org adminupdateCan update opportunities for their organisation only

    All fields

    • offerOrg must be one of the current users organisations
    PUT /api/opportunities
    ownerread

    Can see full details of ops they own

    • Only ops that are published1
    All fieldsGET /api/opportunities/:id
    ownercreaten/an/an/a
    ownerupdate
    • Can change the 
    • status to COMPLETED or CANCELLED
    • Can change the fields listed
    • name
    • title
    • subtitle
    • imgUrl
    • description
    • duration
    • location
    • venue
    • status
      • status value transition permission work todo: VP-1325
    • date
    • offerOrg
    • href
    • tags
    PUT /api/opportunities/:id
    ownerdelete

    Cannot delete

    The owner can PUT to the opportunity with a status change to archive the opportunity however

    n/aDELETE /api/opportunities/:id

    Notes:

    1. Published = Active or Completed status

    List

    GET /api/opportunities

    RoleCan
    anoncan list ops with restrictions - (active, near future, and returns Card level info, no details). To see more they have to sign in.
    allcan list published ops and see full details ( published includes active and completed )
    admincan list ops in all states
    org-admincan list published and draft ops created by people in their org

    Create

    POST /api/opportunities

    RoleCan
    anoncannot list people
    allcan list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.
    vpcan create opportunities of the 'offer' type
    op

    can create opportunities of the 'request' type into draft state but may require org-admin permission to move to active.

    org is fixed to org of owner

    admincan create anything
    org-admincan create ops and move draft ops to published.

    Read

    GET /api/opportunities/:id

    RoleCan
    anoncan see full details of the op, (must be active state) need to sign in to express interest
    allcan see full details of the active and completed ops
    admincan see full details of ops in all states
    org-admincan see full details of ops in all states for ops created by people in their org.
    ownercan see full details of ops they own

    Update

    PUT /api/opportunities/:id

    RoleCan
    anonno access
    allcan list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.
    admincan update ops including state change
    org-admincan update ops including state change for ops created by people in their org
    ownercan update their own ops. cannot change org,

    Delete

    DELETE /api/opportunities/:id

    RoleCan
    anonno access
    allno access
    admincan remove a record by putting it into archived collection
    org-admincan remove a record by putting it into archived collection for their org
    ownercan change state to 'closed'


    School invite

    This API end point does not map to a mongoose model it is used to trigger invite school emails and by people who accept those school invites.

    Role

    Action

    Permissions

    Fields

    Method + Route

    all authenticated

    n/a

    Can visit URL to accept invite and will have their school created as an organisation and made an org admin of that school (URL will also include a token containing school id)

    n/a

    GET /api/notify/school-invite/accept

    admin

    n/a

    Can send a school invite email

    n/a

    POST /api/notify/school-invite

    School lookup

    Role

    Action

    Permissions

    Fields

    Method + Route

    anon

    list

    No access

    n/a

    GET /api/schools

    anon

    read

    No access

    n/a

    GET /api/schools/:id

    anon

    create

    No access

    n/a

    POST /api/schools

    anon

    update

    No access

    n/a

    PUT /api/schools/:id

    anon

    delete

    No access

    n/a

    DELETE /api/schools/:id

    all

    list

    No access

    n/a

    GET /api/schools

    all

    read

    No access

    n/a

    GET /api/schools/:id

    all

    create

    No access

    n/a

    POST /api/schools

    all

    update

    No access

    n/a

    PUT /api/schools/:id

    all

    delete

    No access

    n/a

    DELETE /api/schools/:id

    admin

    list

    Can list school lookup records

    n/a

    GET /api/schools

    admin

    read

    No access

    n/a

    GET /api/schools/:id

    admin

    create

    No access

    n/a

    POST /api/schools

    admin

    update

    No access

    n/a

    PUT /api/schools/:id

    admin

    delete

    No access

    n/a

    DELETE /api/schools/:id

    Activities

    List

    GET /api/activities

    RoleCan
    anoncan list if active
    allcan list if active
    admincan list all
    org-admincan list all where ap is in org
    ap (owner)can list all they are owner for

    Create

    POST api/activity

    RoleCan
    anonno access
    vpno access
    opno access
    apcan create new activity record
    admincan create new activity record
    org-admincan act as ap for person in their org

    Read

    GET api/activity/:id

    RoleCan
    anoncan view details if state is active
    allcan view details if state is active
    admincan see all
    org-admincan emulate ap for people in their org, can see draft acts.
    ap (owner)can view details in all states.

    Update

    PUT api/activity/:id

    RoleCan
    anonno access
    allno access
    vpno access
    opno access
    ap (owner)can update acts they are owner for
    admincan update
    org-admincan act as ap for acts in their org

    Delete

    DELETE api/activity/:id

    RoleCan
    anonno access
    allno access
    admincan delete
    org-admin (owner org)no access, can put into closed state (via Update)
    ap (owner)no access, can put into closed state (via Update)



    Organisations

    Organisation information is essentially public, everyone can read except for the info section which depends on membership status.

    Note - in the medium term we do not need to block info fields from the API. We will communicate to orgAdmins that the content is not strictly private and should only contain summary information and links to internal web pages.

    List

    GET /api/organisations

    RoleCan
    anonList all organisations, all fields
    vpList all organisations, all fields
    opList all organisations, all fields
    apList all organisations, all fields
    resource providerList all organisations, all fields
    adminList all organisations, all fields
    org-adminList all organisations, all fields

    Read

    GET /api/organisations/:id

    RoleCan
    anonRead the entity and all fields
    vpRead the entity and all fields
    opRead the entity and all fields
    apRead the entity and all fields
    resource providerRead the entity and all fields
    adminRead the entity and all fields
    org-adminRead the entity and all fields

    Create

    POST /api/organisations

    RoleCan
    anonNo access
    vpNo access
    opNo access
    apNo access
    resource providerNo access
    adminCan create new organisation
    org-adminNo access

    Update

    PUT /api/organisations/:id

    RoleCan
    anonNo access
    vpNo access
    opNo access
    apNo access
    adminCan update all fields
    org-admin
    • Can update all fields for the organisation they administer except category
    • No access to other organisations

    Delete

    Only system admins can delete an organisation. This should be a rare event as it will leave all the assets linked to the organisation dangling. i.e Ops.offerOrg,  Member.organisation etc.

    DELETE /api/organisations/:id

    RoleCan
    anonNo access
    vpNo access
    opNo access
    apNo access
    adminCan delete
    org-adminNo access


    Tags (TagList)

    The tagList collection provides arrays of strings each of which is a word list that can be used for tags or select fields.

    if requested without a wordlist id the GET call returns the default list of keywords.

    As of Feb 2020 this feature is only partially implemented providing only a single word list. 

    The lists are read only to all except admins.

    RoleActionPermissionsFieldsMethod + Route
    anonlistNo accessn/aGET /api/tags
    anonreadNo accessn/aGET /api/tags/:id
    anoncreateNo accessn/aPOST /api/tags
    anonupdateNo accessn/aPUT /api/tags/:id
    anondeleteNo accessn/aDELETE /api/tags/:id
    AuthedlistList default word listAllGET /api/tags
    AuthedreadList specific word listAllGET /api/tags/:id
    AuthedcreateNo accessAllPOST /api/tags
    AuthedupdateNo accessn/aPUT /api/tags/:id
    AutheddeleteNo accessn/aDELETE /api/tags/:id
    adminlistCan list allAllGET /api/tags
    adminreadCan read allAllGET /api/tags/:id
    admincreateCan create anyn/aPOST /api/tags
    adminupdateCan update anyn/aPUT /api/tags/:id
    admindeleteCan delete anyn/aDELETE /api/tags/:id



    Table of Contents