Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


The data in the Voluntari.ly system must have integrity, security, privacy.

Access to the data through the service api must implement the following access rules

Access is controlled by the identity and Role of the user

User Roles

RoleMeansanonperson is not signed in. They can view various parts of the site but cannot change anything.  Most clicks will prompt them to register and sign in.allall signed in users, they can browse more of the site create opportunties and manage their personal profile.vpvolunteer time provider - i.e a volunteer, person who is interested in an opportunity. They can view opportunities in summary and detail form, show interest and communicate with the op-provider. by default everyone is a vpopOpportunity provider - e.g a teacher. person who creates and manages an opportunity.apActivity provider / content provider, can create and manage activities.testercan see debug and analytics pagesadminoperational admin, can do almost everything through the UIorg-adminCan manage an organisation, its members and can set an approval process for listingsownerThe specific person responsible for a record e.g a personal profile, opportuntity etc.

Archived Opportunities

RoleActionPermissionsFieldsMethod + RouteanonlistView all archived opportunities with status "Completed"id, name, subtitle, img_url, duration
GET /api/archivedOpportunitiesanonreadView individual archived opportunity records with status "Completed"allGET /api/archivedOpportunities/:idanoncreateNo accessn/an/aanonupdateNo accessn/an/aanondeleteNo accessn/an/aalllistView all archived opportunities with status "Completed"id, name, subtitle, img_url, durationGET /api/archivedOpportunitiesallreadView individual archived opportunity records with status "Completed"allGET /api/archivedOpportunities/:idall

The data in the Voluntari.ly system must have integrity, security, privacy.

Access to the data through the service api must implement the following access rules


Access is controlled by the identity and Role of the user

User Roles

RoleMeans
anonperson is not signed in. They can view various parts of the site but cannot change anything.  Most clicks will prompt them to register and sign in.
allall signed in users, they can browse more of the site create opportunties and manage their personal profile.
vpvolunteer time provider - i.e a volunteer, person who is interested in an opportunity. They can view opportunities in summary and detail form, show interest and communicate with the op-provider. by default everyone is a vp
opOpportunity provider - e.g a teacher. person who creates and manages an opportunity.
apActivity provider / content provider, can create and manage activities.
testercan see debug and analytics pages
adminoperational admin, can do almost everything through the UI
org-adminCan manage an organisation, its members and can set an approval process for listings
ownerThe specific person responsible for a record e.g a personal profile, opportuntity etc.


Archived Opportunities

RoleActionPermissionsFieldsMethod + Route
anonlistView all archived opportunities with status "Completed"id, name, subtitle, img_url, duration
GET /api/archivedOpportunities
anonreadView individual archived opportunity records with status "Completed"allGET /api/archivedOpportunities/:id
anoncreateNo accessn/an/a
anonupdateNo accessn/an/a
anondeleteNo accessn/an/a
alllistView all archived opportunities with status "Completed"id, name, subtitle, img_url, durationGET /api/archivedOpportunities
allreadView individual archived opportunity records with status "Completed"allGET /api/archivedOpportunities/:id
allcreateNo accessn/an/a
allupdateNo accessn/an/a
alldeleteNo accessn/an/a
adminlistView all archived opportunitiesid, name, subtitle, img_url, durationGET /api/archivedOpportunities
adminreadView individual archived opportunity recordsallGET /api/archivedOpportunities/:id
admincreateCan create recordsallPOST /api/archivedOpportunities
adminupdateCan update recordsallPUT /api/archivedOpportunities/:id
admindeleteCan delete recordsallDELETE /api/archivedOpportunities/:id

Interests

RoleActionPermissionsFieldsMethod + Route
anonlistNo accessn/aGET /api/interests
anonreadNo accessn/aGET /api/interests/:id
anoncreateNo accessn/aPOST /api/interests
anonupdateNo accessn/aPUT /api/interests/:id
anondeleteNo accessn/aDELETE /api/interests/:id
volunteerlistCan list own interest recordsAllGET /api/interests
volunteerreadCan read own interest recordsAllGET /api/interests/:id
volunteercreateCan create own interest recordsopportunity, comment (all other fields set by default)POST /api/interests
volunteerupdateNo accessn/aPUT /api/interests/:id
volunteerdeleteCan delete own interest recordsn/aDELETE /api/interests/:id
oplistCan list interest records for their opportunitiesAllGET /api/interests
opreadCan read interest records for their opportunitiesAllGET /api/interests/:id
opcreateNo accessn/aPOST /api/interests
opupdateCan update status field of interest records for their opportunitiesstatusPUT /api/interests/:id
opdeleteNo accessn/aDELETE /api/interests/:id
org adminlistCan list interest records for the opportunities provided by their organisationAllGET /api/interests
org adminreadCan read interest records for the opportunities provided by their organisationAllGET /api/interests/:id
org admincreateNo accessn/aPOST /api/interests
org adminupdateCan update the status field of interest records for the opportunities provided by their organisationstatusPUT /api/interests/:id
org admindeleteNo accessn/aDELETE /api/interests/:id
adminlistCan list all interest records on the platformn/aGET /api/interests
adminreadCan read all interest records on the platformn/aGET /api/interests/:id
admincreateCan create interest recordsn/aPOST /api/interests
adminupdateCan update all interest records on the platformn/aPUT /api/interests/:id
admindeleteCan delete all interest records on the platformn/aDELETE /api/interests/:id

Interest archive

id, name, subtitle, img_url, duration

Role

Action

Permissions

Fields

Method + Route

anon

list

No access

n/a

GET /api/interestsArchived

anon

read

No access

n/a

GET /api/interestsArchived/:id

anon

create

No access

n/a

n

POST /api/

a

InterestsArchived

all

anon

update

No access

n/a

n/aall

PUT /api/interestsArchived/:id

anon

delete

No access

n/a

n/aadminlistView all archived opportunities

DELETE /api/interestsArchived/:id

volunteerlistCan list their own interest archive recordsn/aGET /api/archivedOpportunitiesinterestsArchived
adminvolunteerreadView individual archived opportunity Can read their own interest archive recordsalln/aGET /api/archivedOpportunitiesinterestsArchived/:id
adminvolunteercreateCan create recordsallNo accessn/aPOST /api/archivedOpportunitiesinterestsArchived
adminvolunteerupdateCan update recordsallNo accessn/aPUT /api/archivedOpportunitiesinterestsArchived/:id
adminvolunteerdeleteCan delete recordsallNo accessn/aDELETE /api/archivedOpportunitiesinterestsArchived/:id
Interests
anoninterestsvolunteer own Allinterestsvolunteer own interestsvolunteeropportunity, comment (all other fields set by default)interestsvolunteern/ainterestsvolunteerCan delete own interest recordsinterestsop interest records for their opportunitiesAllinterestsop for their opportunitiesAllinterestsopNo accessinterestsop status field of for their opportunitiesstatusinterestsopNo accessinterestsAll

op

RoleActionPermissionsFieldsMethod + Route
anonlistNo access

list

Can list interest archive records for their opportunities

n/a

GET /api/

interests

interestsArchived

anon

op

read

No access

Can read interest archive records for their opportunities

n/a

GET /api/

interests

interestsArchived/:id

anon

op

create

No access

n/a

POST /api/

interests

InterestsArchived

anon

op

update

No accessn/a

Can update status field for interest archive records for their opportunities

status

PUT /api/

interests

interestsArchived/:id

op

delete

No access

n/a

DELETE /api/

interestsArchived/:id

org admin

list

Can list

interest archive records

for the opportunities provided by their organisation

n/a

GET /api/

interestsArchived

org admin

read

Can read

interest archive records

All

for the opportunities provided by their organisation

n/a

GET /api/

interestsArchived/:id

org admin

create

Can create own interest records

No access

n/a

POST /api/

InterestsArchived

org admin

update

No access

Can update status field for interest archive records for the opportunities provided by their organisation

status

PUT /api/

interestsArchived/:id

org admin

delete

No access

n/a

DELETE /api/

interestsArchived/:id

admin

list

Can list

all interest archive records

n/a

GET /api/

interestsArchived

admin

read

Can read all interest archive records

n/a

GET /api/

interestsArchived/:id

admin

create

Can create interest archive records

n/a

POST /api/

InterestsArchived

admin

update

Can update

all interest archive records

n/a

PUT /api/

interestsArchived/:id

admin

delete

Can delete all interest archive records

n/a

DELETE /api/

interestsArchived/:id

org adminlistCan list interest records for the opportunities provided by their organisation

Member

Role

Action

Permissions

Fields

Method + Route

anon

list

No access

n/a

GET /api/

interests

members

org admin

anon

read

Can read interest records for the opportunities provided by their organisationAll

No access

n/a

GET /api/

interests

members/:id

org admin

anon

create

No access

n/a

POST /api/

interests

members

org adminstatus

anon

update

Can update the status field of interest records for the opportunities provided by their organisation

No access

n/a

PUT /api/

interests

members/:id

org admin

anon

delete

No access

n/a

DELETE /api/

interests

members/:id

admin

all

list

Can list

all interest records on the platform

their own member records

n/a

GET /api/

interests

members

admin

all

read

Can read

all interest records on the platform

their own member records

n/a

GET /api/

interests

members/:id

admin

all

create

Can create

interest recordsn/a

their own member records with certain statuses

status (follower, joiner, validator), person (only themselves)

POST /api/

interests

members

admin

all

update

Can update

all interest records on the platformn/a

their own member records with certain statuses

status (none, follower, joiner, validator, exmember), person (only themselves)

PUT /api/

interests

members/:id

admin

all

delete

Can delete all interest records on the platform

No access

n/a

DELETE /api/

interests

members/:id

Interest archive

org admin

Role

Action

Permissions

Fields

Method + Route

anon

list

No access

list

Can list member records for their organisations

n/a

GET /api/

interestsArchived

members

anon

org admin

read

No access

Can read member records for their organisations

n/a

GET /api/

interestsArchived

members/:id

anon

org admin

create

No access

Can create member records for their organisations

n/a

POST /api/

InterestsArchived

members

anon

org admin

update

No access

Can update member records for their organisations

n/a

PUT /api/

interestsArchived

members/:id

anon

org admin

delete

No access

n/a

DELETE /api/

interestsArchived

members/:id

op

admin

list

Can list

interest archive records for their opportunities

all member records

n/a

GET /api/

interestsArchived

members

op

admin

read

Can read

interest archive records for their opportunities

all member records

n/a

GET /api/

interestsArchived

members/:id

op

admin

create

No access

Can create member records

n/a

POST /api/

InterestsArchived

members

op

admin

update

Can update

status field for interest archive records for their opportunitiesstatus

all member records

n/a

PUT /api/

interestsArchived

members/:id

op

admin

delete

No access

Can delete all member records

n/a

DELETE /api/

interestsArchived

members/:id

org admin

list

Can list interest archive records for the opportunities provided by their organisation

People

RoleActionPermissionsFieldsMethod + Route
anonlistNo accessn/aGET /api/
interestsArchived
people
org admin
anonread
Can read interest archive records for the opportunities provided by their organisation
No accessn/aGET /api/
interestsArchived
people/:id
org admin
anoncreateNo accessn/aPOST /api/
InterestsArchived
people
org adminstatus
anonupdate

Can update status field for interest archive records for the opportunities provided by their organisation

No accessn/aPUT /api/
interestsArchived
people/:id
org admin
anondeleteNo accessn/aDELETE /api/
interestsArchived
people/:id
adminn/a
vplist

Can list all interest archive records

List all people 1

See note 2GET /api/
interestsArchived
people
admin
vpread

Can read

all interest archive recordsn/a

any person 1

Can be indirectly provided with contact details for a vp via an interested record in invited state

See note 2GET /api/
interestsArchived
people/:id
admin
vpcreate
Can create interest archive records
No accessn/aPOST /api/
InterestsArchived
people
admin
vpupdate
Can update all interest archive records
No accessn/aPUT /api/
interestsArchived
people/:id
admin
vpdelete
Can delete all interest archive records
No accessn/aDELETE /api/
interestsArchived

Role

Action

Permissions

Fields

Method + Route

anon
people/:id

Member

n/a
oplist

No access

List all people 1See note 2GET /api/
members
people
anonn/a
opread

No access

Can read any person 1See note 2GET /api/
members
people/:id
anon
opcreateNo accessn/aPOST /api/
members
people
anon
opupdateNo accessn/aPUT /api/
members
people/:id
anon
opdeleteNo accessn/aDELETE /api/
members
people/:id
alln/a
testerlist

Can list their own member records

List all people 1See note 2GET /api/
members
people
all
testerreadCan read
their own member recordsn/a
any person 1All fields can be readGET /api/
members
people/:id
all
testercreate

Can create their own member records with certain statuses

status (follower, joiner, validator), person (only themselves)
No accessn/aPOST /api/
members
people
all
testerupdateCan update
their own member records with certain statusesstatus (none, follower, joiner, validator, exmember), person (only themselves)
any personn/aPUT /api/
members
people/:id
all
testerdelete
No access
Can delete any personn/aDELETE /api/
membersn/a
people/:id
org adminlist

Can list member records for their organisations

List all people 1See note 2GET /api/
members
people
org adminreadCan read
member records for their organisationsn/a
any person 1See note 2GET /api/
members
people/:id
org admincreate
Can create member records for their organisations
No accessn/aPOST /api/
members
people
org adminupdateCan update
member records for their organisationsn/a
any personAny field can be updatedPUT /api/
members
people/:id
org admindeleteNo accessn/aDELETE /api/
members
people/:id
adminlistCan list all
member recordsn/a
peopleAll fieldsGET /api/
members
people
adminreadCan read
all member recordsn/a
any personAll fieldsGET /api/
members
people/:id
admincreateCan create
member recordsn/a
new userAll fieldsPOST /api/
members
people
adminupdateCan update
all member recordsn/a
any personAll fields can be updatedPUT /api/
members
people/:id
admindelete

Can delete

all member records

any person4

n/aDELETE /api/
members
people/:id

People

n/aorg admin
RoleActionPermissionsFieldsMethod + Route
anonlistNo accessownerlistList all people 1See note 2GET /api/people
anonownerreadNo accessn/a

Can read any person

See note 2 and 3GET /api/people/:id
anonownercreateNo accessn/aPOST /api/people
anonownerupdateNo accessn/aPUT /api/people/:id
anondeleteNo accessn/aDELETE /api/people/:id
vplist

List all people 1

See note 2GET /api/people
vpread

Can read any person 1

Can be indirectly provided with contact details for a vp via an interested record in invited state

See note 2GET /api/people/:id
vpcreateNo accessn/aPOST /api/people
vpupdateNo accessn/aPUT Can only update their own record

Permitted to change:

  • name
  • nickname
  • about
  • location
  • phone
  • pronoun
  • language
  • website
  • facebook
  • twitter
  • education
  • placeOfWork
  • job
  • sendEmailNotifications
  • role*
    • Only an ADMIN user can assign the ADMIN role to a user
    • Only an ADMIN user can assign the TESTER role to a user
    • All other role values can be assigned at this time – although this will need review
  • status
  • tags
  • teacher

Denied:

  • email
  • dateAdded
PUT /api/people/:id
ownerdeleteCan delete their own account4n/aDELETE /api/people/:id
vpdeleteNo accessn/aDELETE /api/people/:id
oplistList all people 1See note 2GET /api/people
opreadCan read any person 1See note 2GET /api/people/:id
opcreateNo accessn/aPOST /api/people
opupdateNo accessn/aPUT /api/people/:id
opdeleteNo accessn/aDELETE /api/people/:id
testerlistList all people 1See note 2GET /api/people
testerreadCan read any person 1All fields can be readGET /api/people/:id
testercreateNo accessn/aPOST /api/people
testerupdateCan update any personn/aPUT /api/people/:id
testerdeleteCan delete any personn/aDELETE /api/people/:id
org adminlistList all people 1See note 2GET /api/people
org adminreadCan read any person 1See note 2GET /api/people/:id

Notes:

  1. VP-1264 is the card to limit the people returned from the list API. VP-1267 is to limit who can access the read API
  2. Standard non-owner people fields are a whitelist of:
    • id
    • nickname
    • language
    • name
    • status
    • avatar
    • about
    • language
    • imgUrl
    • role
    • pronoun
    • tags
    • facebook
    • website
    • twitter
    • sendEmailNotifications
  3. VP-1268 is a card to return all fields when the request is for the current user
  4. VP-1297 future work to anonymise user's data but keep their person record so that relationships are preserved for historical data and analytics


## Create
Person - Created when new person signs in - All
Opportunity - all - but only into draft mode. May require org-admin approval to set active state
Activity - ap,
Organisation - Admin
Interest - vp
tag - all

## Read
Person - All
Opportunity - All+anon except in Draft mode - then only op-provider (op) and org-admin
Activity - All+anon except in Draft mode - then only activity-provider (ap) and org-admin

## Update
## Delete
In most cases Delete paths should be only available to Admin ( and some API keyholders)
Also in most cases Delete should not remove a document but move it into a new state, or collection.

Opportunities

RoleActionPermissionsFieldsMethod + Route
anonlist

Can list opportunities

Restrictions: active, near future, and returns Card level info

(To see more they have to sign in)

  • id
  • name,
  • subtitle
  • imgUrl
  • duration
  • date
GET /api/opportunities
anonread

Can read any opportunity

In general READ should have the same permissions as LIST

  • id
  • name,
  • subtitle
  • imgUrl
  • duration
  • date
GET /api/opportunities/:id
anoncreateNo accessn/aPOST /api/
people
opportunities
org admin
anonupdate
Can update any personAny field can be updated
No accessn/aPUT /api/
people
opportunities/:id
org admin
anondeleteNo accessn/aDELETE /api/
people
opportunities/:id
admin
vplistCan list
all people
published1 opportunities and see full detailsAll fieldsGET /api/
people
opportunities
admin
vpreadCan
read any personAll fieldsGET /api/people/:idadmincreateCan create new userAll fieldsPOST /api/peopleadminupdateCan update any personAll fields can be updatedPUT /api/people
see full details of the published1 opsAll fieldsGET /api/opportunities/:id
admin
vp
delete
createCan
delete any person4
create opportunities of the 'offer' typen/a
DELETE
POST /api/
people/:idownerlistList all people 1See note 2GET /api/peopleownerread

Can read any person

See note 2 and 3GET /api/people
opportunities
vpupdateNo accessn/aPUT /api/opportunities/:id
owner
vp
create
deleteNo accessn/a
POST
DELETE /api/
peopleownerupdateCan only update their own record

Permitted to change:

  • name
  • nickname
  • about
  • location
  • phone
  • pronoun
  • language
  • website
  • facebook
  • twitter
  • education
  • placeOfWork
  • job
  • sendEmailNotifications
  • role*
    • Only an ADMIN user can assign the ADMIN role to a user
    • Only an ADMIN user can assign the TESTER role to a user
    • All other role values can be assigned at this time – although this will need review
  • status
  • tags
  • teacher

Denied:

  • email
  • dateAdded
PUT /api/people/:idownerdeleteCan delete their own account4
opportunities/:id
oplistCan list published1 opportunities and see full detailsAll fieldsGET /api/opportunities
opreadCan see full details of the published1 opsAll fieldsGET /api/opportunities/:id
opcreateCan create opportunities of the 'offer' typen/aPOST /api/opportunities
opupdateNo accessn/aPUT /api/opportunities/:id
opdeleteNo accessn/aDELETE /api/
peopleRoleActionPermissionsFieldsMethod + RouteWork done VP-1098?anonlist

Can list opportunities

Restrictions: active, near future, and returns Card level info

(To see more they have to sign in)

  • id
  • name,
  • subtitle
  • imgUrl
  • duration
GET /api/opportunitiesanonread

Can read any opportunity

In general READ should have the same permissions as LIST

  • id
  • name,
  • subtitle
  • imgUrl
  • duration
GET /api/opportunities/:idanoncreateNo accessn/aPOST /api/opportunitiesanonupdateNo accessn/aPUT /api/opportunities/:idanondeleteNo accessn/aDELETE
opportunities/:id

Notes:

  1. VP-1264 is the card to limit the people returned from the list API. VP-1267 is to limit who can access the read API
  2. Standard non-owner people fields are a whitelist of:
    • id
    • nickname
    • language
    • name
    • status
    • avatar
    • about
    • language
    • imgUrl
    • role
    • pronoun
    • tags
    • facebook
    • website
    • twitter
    • sendEmailNotifications
  3. VP-1268 is a card to return all fields when the request is for the current user
  4. VP-1297 future work to anonymise user's data but keep their person record so that relationships are preserved for historical data and analytics

## Create
Person - Created when new person signs in - All
Opportunity - all - but only into draft mode. May require org-admin approval to set active state
Activity - ap,
Organisation - Admin
Interest - vp
tag - all

## Read
Person - All
Opportunity - All+anon except in Draft mode - then only op-provider (op) and org-admin
Activity - All+anon except in Draft mode - then only activity-provider (ap) and org-admin

## Update
## Delete
In most cases Delete paths should be only available to Admin ( and some API keyholders)
Also in most cases Delete should not remove a document but move it into a new state, or collection.

Opportunities

adminlistAll opportunitiesAll fieldsGET /api/opportunities
adminreadAny opportunityAll fieldsGET /api/opportunities/:id
admincreateCan create any opportunityAll fieldsPOST /api/opportunities
adminupdateCan update any opportunityAll fieldsPUT /api/opportunities
admindelete

Can delete any opportunity

If an admin wishes to archive an opportunity they should PUT with the status field set to the COMPLETED or CANCELLED value

n/aDELETE /api/opportunities/:id
org adminlist

Can list published and draft ops created by people in their org

Can list all opportunities

All fieldsGET /api/opportunities
org adminreadCan list published1 opportunities and see full detailsAll fieldsGET /api/opportunities/:id
org admincreateCan create opportunities

All fields

  • offerOrg must be one of the current users organisations
POST /api/opportunities
org adminupdateCan update opportunities for their organisation only

All fields

  • offerOrg must be one of the current users organisations
PUT /api/opportunities
ownerread

Can see full details of ops they own

  • Only ops that are published1
All fieldsGET /api/opportunities/:id
ownercreaten/an/an/a
ownerupdate
  • Can change the 
  • status to COMPLETED or CANCELLED
  • Can change the fields listed
  • name
  • title
  • subtitle
  • imgUrl
  • description
  • duration
  • location
  • venue
  • status
    • status value transition permission work todo: VP-1325
  • date
  • offerOrg
  • href
  • tags
PUT /api/opportunities/:id
owner
vpGET
delete
listCan list published opportunities and see full details ( published includes active and completed)All fields

Cannot delete

The owner can PUT to the opportunity with a status change to archive the opportunity however

n/aDELETE /api/opportunities/:id
vpreadCan see full details of the published ops (active and completed)All fields

Notes:

  1. Published = Active or Completed status

List

GET /api/opportunities

RoleCan
anoncan list ops with restrictions - (active, near future, and returns Card level info, no details). To see more they have to sign in.
allcan list published ops and see full details ( published includes active and completed )
admincan list ops in all states
org-admincan list published and draft ops created by people in their org

Create

POST /api/opportunities

RoleCan
anoncannot list people
allcan list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.
vpcan create opportunities of the 'offer' type
op

can create opportunities of the 'request' type into draft state but may require org-admin permission to move to active.

org is fixed to org of owner

admincan create anything
org-admincan create ops and move draft ops to published.

Read

GET /api/opportunities/:id

RoleCan
anoncan see full details of the op, (must be active state) need to sign in to express interest
allcan see full details of the active and completed ops
admincan see full details of ops in all states
org-admincan see full details of ops in all states for ops created by people in their org.
ownercan see full details of ops they own

Update

PUT /api/opportunities/:id

RoleCan
anonno access
allcan list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.
admincan update ops including state change
org-admincan update ops including state change for ops created by people in their org
ownercan update their own ops. cannot change org,

Delete

DELETE /api/opportunities/:id

RoleCan
anonno access
allno access
admincan remove a record by putting it into archived collection
org-admincan remove a record by putting it into archived collection for their org
ownercan change state to 'closed'


School invite

This API end point does not map to a mongoose model it is used to trigger invite school emails and by people who accept those school invites.

Role

Action

Permissions

Fields

Method + Route

all authenticated

n/a

Can visit URL to accept invite and will have their school created as an organisation and made an org admin of that school (URL will also include a token containing school id)

n/a

GET /api/notify/school-invite/accept

admin

n/a

Can send a school invite email

n/a

POST /api/notify/school-invite

School lookup

Role

Action

Permissions

Fields

Method + Route

anon

list

No access

n/a

GET /api/schools

anon

read

No access

n/a

GET /api/schools/:id

anon

create

No access

n/a

POST /api/schools

anon

update

No access

n/a

PUT /api/schools/:id

anon

delete

No access

n/a

DELETE /api/schools/:id

all

list

No access

n/a

GET /api/schools

all

read

No access

n/a

GET /api/schools/:id

all

create

No access

n/a

POST /api/schools

all

update

No access

n/a

PUT /api/schools/:id

all

delete

No access

n/a

DELETE /api/schools/:id

admin

list

Can list school lookup records

n/a

GET /api/schools

admin

read

No access

n/a

GET /api/schools/:id

admin

create

No access

n/a

POST /api/schools

admin

update

No access

n/a

PUT /api/schools/:id

admin

delete

No access

n/a

DELETE /api/schools/:id

Activities

List

GET /api/activities

RoleCan
anoncan list if active
allcan list if active
admincan list all
org-admincan list all where ap is in org
ap (owner)can list all they are owner for

Create

POST api/activity

RoleCan
anonno access
vpno access
opno access
apcan create new activity record
admincan create new activity record
org-admincan act as ap for person in their org

Read

GET api/activity/:id

RoleCan
anoncan view details if state is active
allcan view details if state is active
admincan see all
org-admincan emulate ap for people in their org, can see draft acts.
ap (owner)can view details in all states.

Update

PUT api/activity/:id

RoleCan
anonno access
allno access
vpno access
opno access
ap (owner)can update acts they are owner for
admincan update
org-admincan act as ap for acts in their org

Delete

DELETE api/activity/:id

RoleCan
anonno access
allno access
admincan delete
org-admin (owner org)no access, can put into closed state (via Update)
ap (owner)no access, can put into closed state (via Update)



Organisations

Organisation information is essentially public, everyone can read except for the info section which depends on membership status.

Note - in the medium term we do not need to block info fields from the API. We will communicate to orgAdmins that the content is not strictly private and should only contain summary information and links to internal web pages.

List

GET /api/organisations

RoleCan
anonList all organisations, all fields
vpList all organisations, all fields
opList all organisations, all fields
apList all organisations, all fields
resource providerList all organisations, all fields
adminList all organisations, all fields
org-adminList all organisations, all fields

Read

GET /api/organisations/:id

RoleCan
anonRead the entity and all fields
vpRead the entity and all fields
opRead the entity and all fields
apRead the entity and all fields
resource providerRead the entity and all fields
adminRead the entity and all fields
org-adminRead the entity and all fields

Create

POST /api/organisations

RoleCan
anonNo access
vpNo access
opNo access
apNo access
resource providerNo access
adminCan create new organisation
org-adminNo access

Update

PUT /api/organisations/:id

RoleCan
anonNo access
vpNo access
opNo access
apNo access
adminCan update all fields
org-admin
  • Can update all fields for the organisation they administer except category
  • No access to other organisations

Delete

Only system admins can delete an organisation. This should be a rare event as it will leave all the assets linked to the organisation dangling. i.e Ops.offerOrg,  Member.organisation etc.

DELETE /api/organisations/:id

RoleCan
anonNo access
vpNo access
opNo access
apNo access
adminCan delete
org-adminNo access


Tags (TagList)

The tagList collection provides arrays of strings each of which is a word list that can be used for tags or select fields.

if requested without a wordlist id the GET call returns the default list of keywords.

As of Feb 2020 this feature is only partially implemented providing only a single word list. 

The lists are read only to all except admins.

RoleActionPermissionsFieldsMethod + Route
anonlistNo accessn/aGET /api/tags
anonreadNo accessn/aGET /api/tags/:id
anoncreateNo accessn/aPOST /api/tags
anonupdateNo accessn/aPUT /api/tags/:id
anondeleteNo accessn/aDELETE /api/tags/:id
AuthedlistList default word listAllGET /api/tags
AuthedreadList specific word listAllGET /api/tags/:id
AuthedcreateNo accessAllPOST /api/tags
AuthedupdateNo accessn/aPUT /api/tags/:id
AutheddeleteNo accessn/aDELETE /api/tags/:id
adminlistCan list allAllGET /api/tags
adminreadCan read allAllGET /api/tags/:id
admincreateCan create anyn/aPOST /api/tags
adminupdateCan update anyn/aPUT /api/tags/:id
admindeleteCan delete anyn/aDELETE /api/tags/:id



Table of Contents