The data in the Voluntari.ly system must have integrity, security, privacy.

Access to the data through the service api must implement the following access rules

Access is controlled by the identity and Role of the user

User Roles

RoleMeansanonperson is not signed in. They can view various parts of the site but cannot change anything. Most clicks will prompt them to register and sign in.allall signed in users, they can browse more of the site create opportunties and manage their personal profile.vpvolunteer time provider - i.e a volunteer, person who is interested in an opportunity. They can view opportunities in summary and detail form, show interest and communicate with the op-provider. by default everyone is a vpopOpportunity provider - e.g a teacher. person who creates and manages an opportunity.apActivity provider / content provider, can create and manage activities.testercan see debug and analytics pagesadminoperational admin, can do almost everything through the UIorg-adminCan manage an organisation, its members and can set an approval process for listingsownerThe specific person responsible for a record e.g a personal profile, opportuntity etc.

Archived Opportunities

RoleActionPermissionsFieldsMethod + RouteanonlistView all archived opportunities with status "Completed"id, name, subtitle, img_url, duration
GET /api/archivedOpportunitiesanonreadView individual archived opportunity records with status "Completed"allGET /api/archivedOpportunities/:idanoncreateNo accessn/an/aanonupdateNo accessn/an/aanondeleteNo accessn/an/aalllistView all archived opportunities with status "Completed"id, name, subtitle, img_url, durationGET /api/archivedOpportunitiesallreadView individual archived opportunity records with status "Completed"allGET /api/archivedOpportunities/:idallcreateNo accessn/an/aallupdateNo accessn/an/aalldeleteNo accessn/an/aadminlistView all archived opportunitiesid, name, subtitle, img_url, durationGET /api/archivedOpportunitiesadminreadView individual archived opportunity recordsallGET /api/archivedOpportunities/:idadmincreateCan create recordsallPOST /api/archivedOpportunitiesadminupdateCan update recordsallPUT /api/archivedOpportunities/:idadmindeleteCan delete recordsallDELETE /api/archivedOpportunities/:id

Interests

RoleActionPermissionsFieldsMethod + RouteanonlistNo accessn/aGET /api/interestsanonreadNo access

The data in the Voluntari.ly system must have integrity, security, privacy.

Access to the data through the service api must implement the following access rules

Access is controlled by the identity and Role of the user

User Roles

Role	Means
anon	person is not signed in. They can view various parts of the site but cannot change anything. Most clicks will prompt them to register and sign in.
all	all signed in users, they can browse more of the site create opportunties and manage their personal profile.
vp	volunteer time provider - i.e a volunteer, person who is interested in an opportunity. They can view opportunities in summary and detail form, show interest and communicate with the op-provider. by default everyone is a vp
op	Opportunity provider - e.g a teacher. person who creates and manages an opportunity.
ap	Activity provider / content provider, can create and manage activities.
tester	can see debug and analytics pages
admin	operational admin, can do almost everything through the UI
org-admin	Can manage an organisation, its members and can set an approval process for listings
owner	The specific person responsible for a record e.g a personal profile, opportuntity etc.

Archived Opportunities

Role	Action	Permissions	Fields	Method + Route
anon	list	View all archived opportunities with status "Completed"	id, name, subtitle, img_url, duration	GET /api/archivedOpportunities
anon	read	View individual archived opportunity records with status "Completed"	all	GET /api/archivedOpportunities/:id
anon	create	No access	n/a	n/a
anon	update	No access	n/a	n/a
anon	delete	No access	n/a	n/a
all	list	View all archived opportunities with status "Completed"	id, name, subtitle, img_url, duration	GET /api/archivedOpportunities
all	read	View individual archived opportunity records with status "Completed"	all	GET /api/archivedOpportunities/:id
all	create	No access	n/a	n/a
all	update	No access	n/a	n/a
all	delete	No access	n/a	n/a
admin	list	View all archived opportunities	id, name, subtitle, img_url, duration	GET /api/archivedOpportunities
admin	read	View individual archived opportunity records	all	GET /api/archivedOpportunities/:id
admin	create	Can create records	all	POST /api/archivedOpportunities
admin	update	Can update records	all	PUT /api/archivedOpportunities/:id
admin	delete	Can delete records	all	DELETE /api/archivedOpportunities/:id

Interests

Role	Action	Permissions	Fields	Method + Route
anon	list	No access	n/a	GET /api/interests
anon	read	No access	n/a	GET /api/interests/:id
anon	create	No access	n/a	POST /api/interests
anon	update	No access	n/a	PUT /api/interests/:id
anon	delete	No access	n/a	DELETE /api/interests/:id
volunteer	list	Can list own interest records	All	GET /api/interests
volunteer	read	Can read own interest records	All	GET /api/interests/:id
volunteer	create	Can create own interest records	opportunity, comment (all other fields set by default)	POST /api/interests
volunteer	update	No access	n/a	PUT /api/interests/:id
volunteer	delete	Can delete own interest records	n/a	DELETE /api/interests/:id
op	list	Can list interest records for their opportunities	All	GET /api/interests
op	read	Can read interest records for their opportunities	All	GET /api/interests/:id
op	create	No access	n/a	POST /api/interests
op	update	Can update status field of interest records for their opportunities	status	PUT /api/interests/:id
op	delete	No access	n/a	DELETE /api/interests/:id
org admin	list	Can list interest records for the opportunities provided by their organisation	All	GET /api/interests
org admin	read	Can read interest records for the opportunities provided by their organisation	All	GET /api/interests/:id
org admin	create	No access	n/a	POST /api/interests
org admin	update	Can update the status field of interest records for the opportunities provided by their organisation	status	PUT /api/interests/:id
org admin	delete	No access	n/a	DELETE /api/interests/:id
admin	list	Can list all interest records on the platform	n/a	GET /api/interests
admin	read	Can read all interest records on the platform	n/a	GET /api/interests/:id
admin	create	Can create interest records	n/a	POST /api/interests
admin	update	Can update all interest records on the platform	n/a	PUT /api/interests/:id
admin	delete	Can delete all interest records on the platform	n/a	DELETE /api/interests/:id

Interest archive

interestsanoninterestsanoninterests own Allinterestsvolunteer own Allinterestsvolunteeropportunity, comment (all other fields set by default)interestsvolunteerinterestsvolunteerCan delete own interest recordsinterestsop opportunitiesAllinterestsop opportunitiesAllinterestsopinterestsop of for their opportunitiesinterestsopinterestsorg for the opportunities provided by their organisationAllinterestsorg for the opportunities provided by their organisationAllinterestsorg No accessinterestsorg the status field of for the opportunities provided by their organisationstatusinterestsorg No accessinterestsadmin

Role	Action	Permissions	Fields	Method + Route
anon	list	No access	n/a	GET /api/interestsArchived
anon	read	No access	n/a	GET /api/interestsArchived/:id
anon	create	No access	n/a	POST /api/InterestsArchived
anon	update	No access	n/a	PUT /api/interestsArchived/:id
anon	delete	No access	n/a	DELETE /api/interestsArchived/:id
volunteer	list	Can list their own interest archive records	n/a	GET /api/interestsArchived
volunteer	read	Can read their own interest archive records	n/a	GET /api/	interestsArchived/:id
volunteer	create	No access	n/a	POST /api/	interestsArchived
volunteer	update	No access	n/a	PUT /api/	interestsArchived/:id
anonvolunteer	delete	No access	n/a	DELETE /api/interestsinterestsArchived/:idvolunteer
op	list	Can list	interest archive records	for their opportunities	n/a	GET /api/	interestsArchived
op	read	Can read	interest archive records	for their opportunities	n/a	GET /api/	interestsArchived/:id
op	create	Can create own interest records	No access	n/a	POST /api/	InterestsArchived
op	update	Can update	No access	n/a	status field for interest archive records for their opportunities	status	PUT /api/	interestsArchived/:id
op	delete	No access	n/a	DELETE /api/	interestsArchived/:id
org admin	list	Can list interest archive records for the opportunities provided by their	organisation	n/a	GET /api/	interestsArchived
org admin	read	Can read interest archive records for the opportunities provided by their	organisation	n/a	GET /api/	interestsArchived/:id
org admin	create	No access	n/a	POST /api/	InterestsArchived
org admin	update	Can update status field	for interest archive records	for the opportunities provided by their organisation	status	PUT /api/	interestsArchived/:id
org admin	delete	No access	n/a	DELETE /api/	interestsArchived/:id
admin	list	Can list all interest archive records		n/a	GET /api/	interestsArchived
admin	read	Can read all interest archive records		n/a	GET /api/	interestsArchived/:id
admin	create	Can create interest archive records	n/a	POST /api/	InterestsArchived
admin	update	Can update	all interest archive records		n/a	PUT /api/	interestsArchived/:id
admin	delete	Can delete all interest archive records	n/a	DELETE /api/	interestsArchived/:id

Member

Role	Action	Permissions	Fields	Method + Route
anon	list

Can list all interest records on the platform

No access

n/a

GET /api/

interests

members

admin

anon

read

Can read all interest records on the platform

No access

n/a

GET /api/

interests

members/:id

admin

anon

create

Can create interest records

No access

n/a

POST /api/

interests

members

admin

anon

update

Can update all interest records on the platform

No access

n/a

PUT /api/

interests

members/:id

admin

anon

delete

Can delete all interest records on the platform

No access

n/a

DELETE /api/

interests

members/:id

Interest archive

all

Role

Action

Permissions

Fields

Method + Route

anon

list

No access

list

Can list their own member records

n/a

GET /api/

interestsArchived

members

anon

all

read

No access

Can read their own member records

n/a

GET /api/

interestsArchived

members/:id

all

anon

create

Can create

No access

n/a

their own member records with certain statuses

status (follower, joiner, validator), person (only themselves)

POST /api/

InterestsArchived

members

anonn/a

all

update

No access

Can update their own member records with certain statuses

status (none, follower, joiner, validator, exmember), person (only themselves)

PUT /api/

interestsArchived

members/:id

anon

all

delete

No access

n/a

DELETE /api/

interestsArchived

members/:id

op

org admin

list

Can list

interest archive

member records for their

opportunities

organisations

n/a

GET /api/

interestsArchived

members

op

org admin

read

Can read

interest archive

member records for their

opportunities

organisations

n/a

GET /api/

interestsArchived

members/:id

op

org admin

create

No access

Can create member records for their organisations

n/a

POST /api/

InterestsArchived

members

op

org admin

update

Can update

status field for interest archive

member records for their

opportunities

organisations

status

n/a

PUT /api/

interestsArchived

members/:id

op

org admin

delete

No access

n/a

DELETE /api/

interestsArchived

members/:id

org

admin

list

Can list

interest archive records for the opportunities provided by their organisation

all member records

n/a

GET /api/

interestsArchived

members

org

admin

read

Can read

interest archive records for the opportunities provided by their organisation

all member records

n/a

GET /api/

interestsArchived

members/:id

org

admin

create

No access

Can create member records

n/a

POST /api/

InterestsArchived

members

org

admin

update

Can update

status field for interest archive records for the opportunities provided by their organisationstatus

all member records

n/a

PUT /api/

interestsArchived

members/:id

org

admin

delete

No access

Can delete all member records

n/a

DELETE /api/

interestsArchived

members/:id

admin

People

Role	Action	Permissions	Fields	Method + Route
anon	list

Can list all interest archive records

No access

n/a

GET /api/

interestsArchived

people

admin

anon	read

Can read all interest archive records

No access

n/a

GET /api/

interestsArchived

people/:id

admin

anon	create

Can create interest archive records

No access

n/a

POST /api/

InterestsArchived

people

admin

anon	update

Can update all interest archive records

No access

n/a

PUT /api/

interestsArchived

people/:id

admin

anon	delete

Can delete all interest archive records

No access

n/a

DELETE /api/

interestsArchived

Role

Action

Permissions

Fields

Method + Route

anon

list

No access

n/a

people/:id

Member

vp	list	List all people ¹	See note 2	GET /api/

members

vp
people

anon

read

Can read

No access

n/a

any person ¹

Can be indirectly provided with contact details for a vp via an interested record in invited state

See note 2

GET /api/

members

people/:id

anon

vp	create	No access	n/a	POST /api/

members

people

anon

vp	update	No access	n/a	PUT /api/

members

people/:id

anon

vp	delete	No access	n/a	DELETE /api/

members

people/:id

alln/a

op	list

Can list their own member records

List all people ¹

See note 2

GET /api/

members

people

all

op	read	Can read

their own member recordsn/a

any person ¹

See note 2

GET /api/

members

people/:id

all

create

Can create their own member records with certain statuses

status (follower, joiner, validator), person (only themselves)

op	create	No access	n/a	POST /api/

members

people

allstatus (none, follower, joiner, validator, exmember), person (only themselves)

op	update

Can update their own member records with certain statuses

No access

n/a

PUT /api/

members

people/:id

all

op	delete	No access	n/a	DELETE /api/

members

people/:id

org adminn/a

tester	list

Can list member records for their organisations

List all people ¹

See note 2

GET /api/

members

people

org admin

tester	read	Can read

member records for their organisationsn/a

any person ¹

All fields can be read

GET /api/

members

people/:id

org admin

tester	create

Can create member records for their organisations

No access	n/a	POST /api/people
tester	update	Can update any person	n/a

POST

PUT /api/people/

members

:id

org admin

tester

update

delete

Can

update member records for their organisations

delete any person

n/a

PUT

DELETE /api/

membersDELETE /api/members

org admin
people/:id

delete

No access

n/a

org admin
list	List all people ¹	See note 2	GET /api/people
org admin	read	Can read any person ¹	See note 2	GET /api/people/:id

list

Can list all member records

create

No access

n/a

GET

POST /api/

members

org admin
people

read

update

Can

read all member records

n/a

GET

update any person

Any field can be updated

PUT /api/

members

org admin
people/:id

create

Can create member records

delete

No access

n/a

POST

DELETE /api/people/

members

admin
:id

update

list

Can

update

list all

member records

n/a

PUT

people

All fields

GET /api/

members/:id

admin
people

delete

read

Can

delete all member records

n/a

DELETE

read any person

All fields

GET /api/

members

people/:id

People

org admin

admin
Role	Action	Permissions	Fields	Method + Route
anon	list	No access	n/a	GET create	Can create new user	All fields	POST /api/people
admin	update	Can update any person	All fields can be updated	PUT /api/people/:id
anonadmin	read	No accessdelete	Can delete any person⁴	n/a	GET DELETE /api/people/:id
anonowner	create	No access	n/a	POST list	List all people ¹	See note 2	GET /api/people
anonowner	update	No access	n/a	PUT read	Can read any person	See note 2 and 3	GET /api/people/:id
anonowner	deletecreate	No access	n/a	DELETE POST /api/people/:id
vp	list	List all people ¹	See note 2	GET /api/people
vp	read	Can read any person ¹ Can be indirectly provided with contact details for a vp via an interested record in invited state	See note 2	GET /api/people/:id
vp	create	No access	n/a	POST /api/people
vp	update	No access	n/a
owner	update	Can only update their own record	Permitted to change: name nickname about location phone pronoun language website facebook twitter education placeOfWork job sendEmailNotifications role* Only an ADMIN user can assign the ADMIN role to a user Only an ADMIN user can assign the TESTER role to a user All other role values can be assigned at this time – although this will need review status tags teacher Denied: email dateAdded	PUT /api/people/:id
vpowner	deleteNo access	Can delete their own account⁴	n/a	DELETE /api/people/:id
op	list	List all people ¹	See note 2	GET /api/people
op	read	Can read any person ¹	See note 2	GET /api/people/:id
op	create	No access	n/a	POST /api/people
op	update	No access	n/a	PUT /api/people/:id
op	delete	No access	n/a	DELETE /api/people/:id
tester	list	List all people ¹	See note 2	GET /api/people
tester	read	Can read any person ¹	All fields can be read	GET /api/people/:id
tester	create	No access	n/a	POST /api/people
tester	update	Can update any person	n/a	PUT /api/people/:id
tester	delete	Can delete any person	n/a	DELETE /api/people/:id
org admin	list	List all people ¹	See note 2	GET /api/people
org admin	read	Can read any person ¹	See note 2	GET /api/people/:id
id

Notes:

VP-1264 is the card to limit the people returned from the list API. VP-1267 is to limit who can access the read API
Standard non-owner people fields are a whitelist of:
- id
- nickname
- language
- name
- status
- avatar
- about
- language
- imgUrl
- role
- pronoun
- tags
- facebook
- website
- twitter
- sendEmailNotifications
VP-1268 is a card to return all fields when the request is for the current user
VP-1297 future work to anonymise user's data but keep their person record so that relationships are preserved for historical data and analytics

## Create
Person - Created when new person signs in - All
Opportunity - all - but only into draft mode. May require org-admin approval to set active state
Activity - ap,
Organisation - Admin
Interest - vp
tag - all

## Read
Person - All
Opportunity - All+anon except in Draft mode - then only op-provider (op) and org-admin
Activity - All+anon except in Draft mode - then only activity-provider (ap) and org-admin

## Update
## Delete
In most cases Delete paths should be only available to Admin ( and some API keyholders)
Also in most cases Delete should not remove a document but move it into a new state, or collection.

Opportunities

Role

Action

Permissions

Fields

Method + Route

anon

list

Can list opportunities

Restrictions: active, near future, and returns Card level info

(To see more they have to sign in)

id
name,
subtitle
imgUrl
duration
date

GET /api/opportunities

anon

read

Can read any opportunity

In general READ should have the same permissions as LIST

id
name,
subtitle
imgUrl
duration
date

GET /api/opportunities/:id

anon

create

No access

n/a

POST /api/

people

opportunities

org admin

anon

update

Can update any personAny field can be updated

No access

n/a

PUT /api/

people

opportunities/:id

org admin

anon

delete

No access

n/a

DELETE /api/

people

opportunities/:id

admin

vp

list

Can list

all people

published¹ opportunities and see full details

All fields

GET /api/

people

opportunities

admin

vp

read

Can

read any personAll fieldsGET /api/people/:idadmincreateCan create new userAll fieldsPOST /api/peopleadminupdateCan update any personAll fields can be updatedPUT /api/people

see full details of the published¹ ops

All fields

GET /api/opportunities/:id

admin

vp

delete

create

Can

delete any person⁴

create opportunities of the 'offer' type

n/a

DELETE

POST /api/

people/:idownerlistList all people ¹See note 2GET /api/peopleownerread

Can read any person

See note 2 and 3GET /api/people

opportunities
vp	update	No access	n/a	PUT /api/opportunities/:id

owner

vp

create

delete

No access

n/a

POST

DELETE /api/

peopleownerupdateCan only update their own record

Permitted to change:

name
nickname
about
location
phone
pronoun
language
website
facebook
twitter
education
placeOfWork
job
sendEmailNotifications
role*
- Only an ADMIN user can assign the ADMIN role to a user
- Only an ADMIN user can assign the TESTER role to a user
- All other role values can be assigned at this time – although this will need review
status
tags
teacher

Denied:

email
dateAdded

PUT /api/people/:idownerdeleteCan delete their own account⁴

opportunities/:id
op	list	Can list published¹ opportunities and see full details	All fields	GET /api/opportunities
op	read	Can see full details of the published¹ ops	All fields	GET /api/opportunities/:id
op	create	Can create opportunities of the 'offer' type	n/a	POST /api/opportunities
op	update	No access	n/a	PUT /api/opportunities/:id
op	delete	No access	n/a	DELETE /api/

people

List

GET /api/opportunities

RoleCananoncan list ops with restrictions - (active, near future, and returns Card level info, no details). To see more they have to sign in.allcan list published ops and see full details ( published includes active and completed )admincan list

opportunities/:id

Notes:

VP-1264 is the card to limit the people returned from the list API. VP-1267 is to limit who can access the read API
Standard non-owner people fields are a whitelist of:
- id
- nickname
- language
- name
- status
- avatar
- about
- language
- imgUrl
- role
- pronoun
- tags
- facebook
- website
- twitter
- sendEmailNotifications
VP-1268 is a card to return all fields when the request is for the current user
VP-1297 future work to anonymise user's data but keep their person record so that relationships are preserved for historical data and analytics

## Create
Person - Created when new person signs in - All
Opportunity - all - but only into draft mode. May require org-admin approval to set active state
Activity - ap,
Organisation - Admin
Interest - vp
tag - all

## Read
Person - All
Opportunity - All+anon except in Draft mode - then only op-provider (op) and org-admin
Activity - All+anon except in Draft mode - then only activity-provider (ap) and org-admin

## Update
## Delete
In most cases Delete paths should be only available to Admin ( and some API keyholders)
Also in most cases Delete should not remove a document but move it into a new state, or collection.

Opportunities

RoleActionPermissionsFieldsMethod + RouteWork done VP-1098?anonlist

Can list opportunities

Restrictions: active, near future, and returns Card level info

(To see more they have to sign in)

id
name,
subtitle
imgUrl
duration

GET /api/opportunities✔anonread

Can read any opportunity

In general READ should have the same permissions as LIST

id
name,
subtitle
imgUrl
duration

GET /api/opportunities/:id✔anoncreateNo accessn/aPOST /api/opportunities✔anonupdateNo accessn/aPUT /api/opportunities/:id✔anondeleteNo accessn/aDELETE /api/opportunities/:id✔vplistCan list published opportunities and see full details ( published includes active and completed)All fieldsGET /api/opportunities✔vpreadCan see full details of the published ops (active and completed)All fields

admin	list	All opportunities	All fields	GET /api/opportunities
admin	read	Any opportunity	All fields	GET /api/opportunities/:id
admin	create	Can create any opportunity	All fields	POST /api/opportunities
admin	update	Can update any opportunity	All fields	PUT /api/opportunities
admin	delete	Can delete any opportunity If an admin wishes to archive an opportunity they should `PUT` with the `status` field set to the COMPLETED or CANCELLED value	n/a	DELETE /api/opportunities/:id
org admin	list	~~Can list published and draft ops created by people in their org~~ Can list all opportunities	All fields	GET /api/opportunities
org admin	read	Can list published¹ opportunities and see full details	All fields	GET /api/opportunities/:id
org admin	create	Can create opportunities	All fields `offerOrg` must be one of the current users organisations	POST /api/opportunities
org admin	update	Can update opportunities for their organisation only	All fields `offerOrg` must be one of the current users organisations	PUT /api/opportunities
owner	read	Can see full details of ops they own Only ops that are published¹	All fields	GET /api/opportunities/:id
owner	create	n/a	n/a	n/a
owner	update	Can change the `status` to `COMPLETED` or `CANCELLED` Can change the fields listed	name title subtitle imgUrl description duration location venue status status value transition permission work todo: VP-1325 date offerOrg href tags	PUT /api/opportunities/:id
owner	delete	Cannot delete The owner can `PUT` to the opportunity with a `status` change to archive the opportunity however	n/a	DELETE /api/opportunities/:id

Notes:

Published = Active or Completed status

List

GET /api/opportunities

Role	Can
anon	can list ops with restrictions - (active, near future, and returns Card level info, no details). To see more they have to sign in.
all	can list published ops and see full details ( published includes active and completed )
admin	can list ops in all states
org-admin	can list published and draft ops created by people in their org

Create

POST /api/opportunities

Role	Can
anon	cannot list people
all	can list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.
vp	can create opportunities of the 'offer' type
op	can create opportunities of the 'request' type into draft state but may require org-admin permission to move to active. org is fixed to org of owner
admin	can create anything
org-admin	can create ops and move draft ops to published.

Read

GET /api/opportunities/:id

Role	Can
anon	can see full details of the op, (must be active state) need to sign in to express interest
all	can see full details of the active and completed ops
admin	can see full details of ops in all states
org-admin	can list published and draft see full details of ops in all states for ops created by people in their org

Create

POST

org.
owner	can see full details of ops they own

Update

PUT /api/opportunities/:id

Delete

DELETE /api/opportunities/:id

RoleCananonno accessallno accessadmincan remove a record by putting it into archived collectionorg-admincan remove a record by putting it into archived collection for their orgownercan change state to 'closed'

School invite

This API end point does not map to a mongoose model it is used to trigger invite school emails and by people who accept those school invites.

Role

Action

Permissions

Fields

Method + Route

all authenticated

n/a

Can visit URL to accept invite and will have their school created as an organisation and made an org admin of that school (URL will also include a token containing school id)

Role	Can
anon	cannot list peopleno access
all	can list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.
vp	can create opportunities of the 'offer' type
op	can create opportunities of the 'request' type into draft state but may require org-admin permission to move to active. org is fixed to org of owner
admin	can create anything
org-admin	can create ops and move draft ops to published.

Read

GET /api/opportunities/:id

RoleCananoncan see full details of the op, (must be active state) need to sign in to express interestallcan see full details of the active and completed opsadmincan see full details of ops in all statesorg-admincan see full details of ops in all states for ops created by people in their org.ownercan see full details of ops they own

Update

PUT /api/opportunities/:id

RoleCananonno accessallcan list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.admincan update ops including state changeorg-admincan update ops including state change for ops created by people in their orgownercan update their own ops. cannot change org,

.
admin	can update ops including state change
org-admin	can update ops including state change for ops created by people in their org
owner	can update their own ops. cannot change org,

Delete

DELETE /api/opportunities/:id

Role	Can
anon	no access
all	no access
admin	can remove a record by putting it into archived collection
org-admin	can remove a record by putting it into archived collection for their org
owner	can change state to 'closed'

School invite

This API end point does not map to a mongoose model it is used to trigger invite school emails and by people who accept those school invites.

Role	Action	Permissions	Fields	Method + Route
all authenticated	n/a	Can visit URL to accept invite and will have their school created as an organisation and made an org admin of that school (URL will also include a token containing school id)	n/a	GET /api/notify/school-invite/accept
admin	n/a	Can send a school invite email	n/a	POST /api/notify/school-invite

School lookup

Role	Action	Permissions	Fields	Method + Route
anon	list	No access	n/a	GET /api/schools
anon	read	No access	n/a	GET /api/schools/:id
anon	create	No access	n/a	POST /api/schools
anon	update	No access	n/a	PUT /api/schools/:id
anon	delete	No access	n/a	DELETE /api/schools/:id
all	list	No access	n/a	GET /api/schools
all	read	No access	n/a	GET /api/schools/:id
all	create	No access	n/a	POST /api/schools
all	update	No access	n/a	PUT /api/schools/:id
all	delete	No access	n/a	DELETE /api/schools/:id
admin	list	Can list school lookup records	n/a	GET /api/

notify/school-invite/accept

schools
admin	read	No access	n/a	GET /api/schools/:id
admin	create	No access	n/a

Can send a school invite email

POST /api/schools
admin	update	No access	n/a	PUT /api/schools/:id
admin	delete	No access	n/a

POST

DELETE /api/

notify/school-invite

schools/:id

Activities

List

GET /api/activities

Role	Can
anon	can list if active
all	can list if active
admin	can list all
org-admin	can list all where ap is in org
ap (owner)	can list all they are owner for

Create

POST api/activity

Role	Can
anon	no access
vp	no access
op	no access
ap	can create new activity record
admin	can create new activity record
org-admin	can act as ap for person in their org

Read

GET api/activity/:id

Role	Can
anon	can view details if state is active
all	can view details if state is active
admin	can see all
org-admin	can emulate ap for people in their org, can see draft acts.
ap (owner)	can view details in all states.

Update

PUT api/activity/:id

Role	Can
anon	no access
all	no access
vp	no access
op	no access
ap (owner)	can update acts they are owner for
admin	can update
org-admin	can act as ap for acts in their org

Delete

DELETE api/activity/:id

Role	Can
anon	no access
all	no access
admin	can delete
org-admin (owner org)	no access, can put into closed state (via Update)
ap (owner)	no access, can put into closed state (via Update)

Organisations

Organisation information is essentially public, everyone can read except for the info section which depends on membership status.

Note - in the medium term we do not need to block info fields from the API. We will communicate to orgAdmins that the content is not strictly private and should only contain summary information and links to internal web pages.

List

GET /api/organisations

Role	Can
anon	List all organisations, all fields
vp	List all organisations, all fields
op	List all organisations, all fields
ap	List all organisations, all fields
resource provider	List all organisations, all fields
admin	List all organisations, all fields
org-admin	List all organisations, all fields

Read

GET /api/organisations/:id

Role	Can
anon	Read the entity and all fields
vp	Read the entity and all fields
op	Read the entity and all fields
ap	Read the entity and all fields
resource provider	Read the entity and all fields
admin	Read the entity and all fields
org-admin	Read the entity and all fields

Create

POST /api/organisations

Role	Can
anon	No access
vp	No access
op	No access
ap	No access
resource provider	No access
admin	Can create new organisation
org-admin	No access

Update

PUT /api/organisations/:id

Role	Can
anon	No access
vp	No access
op	No access
ap	No access
admin	Can update all fields
org-admin	Can update all fields for the organisation they administer except category No access to other organisations

Delete

Only system admins can delete an organisation. This should be a rare event as it will leave all the assets linked to the organisation dangling. i.e Ops.offerOrg, Member.organisation etc.

DELETE /api/organisations/:id

Role	Can
anon	No access
vp	No access
op	No access
ap	No access
admin	Can delete
org-admin	No access

The tagList collection provides arrays of strings each of which is a word list that can be used for tags or select fields.

if requested without a wordlist id the GET call returns the default list of keywords.

As of Feb 2020 this feature is only partially implemented providing only a single word list.

The lists are read only to all except admins.

Role	Action	Permissions	Fields	Method + Route
anon	list	No access	n/a	GET /api/tags
anon	read	No access	n/a	GET /api/tags/:id
anon	create	No access	n/a	POST /api/tags
anon	update	No access	n/a	PUT /api/tags/:id
anon	delete	No access	n/a	DELETE /api/tags/:id
Authed	list	List default word list	All	GET /api/tags
Authed	read	List specific word list	All	GET /api/tags/:id
Authed	create	No access	All	POST /api/tags
Authed	update	No access	n/a	PUT /api/tags/:id
Authed	delete	No access	n/a	DELETE /api/tags/:id
admin	list	Can list all	All	GET /api/tags
admin	read	Can read all	All	GET /api/tags/:id
admin	create	Can create any	n/a	POST /api/tags
admin	update	Can update any	n/a	PUT /api/tags/:id
admin	delete	Can delete any	n/a	DELETE /api/tags/:id

Table of Contents

Page Comparison

Versions Compared

Old Version 30

New Version Current

Key

User Roles

Archived Opportunities

Interests

User Roles

Archived Opportunities

Interests

Interest archive

Member

People

Member

Notes:

Opportunities

List

Notes:

Opportunities

List

Create

Read

Create

Update

Delete

School invite

Read

Update

Delete

School invite

School lookup

Activities

List

Create

Read

Update

Delete

Organisations

List

Read

Create

Update

Delete

Tags (TagList)