Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »


The data in the Voluntari.ly system must have integrity, security, privacy.

Access to the data through the service api must implement the following access rules


Access is controlled by the identity and Role of the user

User Roles

RoleMeans
anonperson is not signed in. They can view various parts of the site but cannot change anything.  Most clicks will prompt them to register and sign in.
allall signed in users, they can browse more of the site create opportunties and manage their personal profile.
vpvolunteer time provider - i.e a volunteer, person who is interested in an opportunity. They can view opportunities in summary and detail form, show interest and communicate with the op-provider. by default everyone is a vp
opOpportunity provider - e.g a teacher. person who creates and manages an opportunity.
apActivity provider / content provider, can create and manage activities.
testercan see debug and analytics pages
adminoperational admin, can do almost everything through the UI
org-adminCan manage an organisation, its members and can set an approval process for listings
ownerThe specific person responsible for a record e.g a personal profile, opportuntity etc.


Archived Opportunities

RoleActionPermissionsFieldsMethod + Route
anonlistView all archived opportunities with status "Completed"id, name, subtitle, img_url, duration
GET /api/archivedOpportunities
anonreadView individual archived opportunity records with status "Completed"allGET /api/archivedOpportunities/:id
anoncreateNo accessn/an/a
anonupdateNo accessn/an/a
anondeleteNo accessn/an/a
alllistView all archived opportunities with status "Completed"id, name, subtitle, img_url, durationGET /api/archivedOpportunities
allreadView individual archived opportunity records with status "Completed"allGET /api/archivedOpportunities/:id
allcreateNo accessn/an/a
allupdateNo accessn/an/a
alldeleteNo accessn/an/a
adminlistView all archived opportunitiesid, name, subtitle, img_url, durationGET /api/archivedOpportunities
adminreadView individual archived opportunity recordsallGET /api/archivedOpportunities/:id
admincreateCan create recordsallPOST /api/archivedOpportunities
adminupdateCan update recordsallPUT /api/archivedOpportunities/:id
admindeleteCan delete recordsallDELETE /api/archivedOpportunities/:id

Interests

RoleActionPermissionsFieldsMethod + Route
anonlistNo accessn/aGET /api/interests
anonreadNo accessn/aGET /api/interests/:id
anoncreateNo accessn/aPOST /api/interests
anonupdateNo accessn/aPUT /api/interests/:id
anondeleteNo accessn/aDELETE /api/interests/:id
volunteerlistCan list own interest recordsAllGET /api/interests
volunteerreadCan read own interest recordsAllGET /api/interests/:id
volunteercreateCan create own interest recordsopportunity, comment (all other fields set by default)POST /api/interests
volunteerupdateNo accessn/aPUT /api/interests/:id
volunteerdeleteCan delete own interest recordsn/aDELETE /api/interests/:id
oplistCan list interest records for their opportunitiesAllGET /api/interests
opreadCan read interest records for their opportunitiesAllGET /api/interests/:id
opcreateNo accessn/aPOST /api/interests
opupdateCan update status field of interest records for their opportunitiesstatusPUT /api/interests/:id
opdeleteNo accessn/aDELETE /api/interests/:id
org adminlistCan list interest records for the opportunities provided by their organisationAllGET /api/interests
org adminreadCan read interest records for the opportunities provided by their organisationAllGET /api/interests/:id
org admincreateNo accessn/aPOST /api/interests
org adminupdateCan update the status field of interest records for the opportunities provided by their organisationstatusPUT /api/interests/:id
org admindeleteNo accessn/aDELETE /api/interests/:id
adminlistCan list all interest records on the platformn/aGET /api/interests
adminreadCan read all interest records on the platformn/aGET /api/interests/:id
admincreateCan create interest recordsn/aPOST /api/interests
adminupdateCan update all interest records on the platformn/aPUT /api/interests/:id
admindeleteCan delete all interest records on the platformn/aDELETE /api/interests/:id


People

List

GET /api/people

RoleCan
anoncannot list people
allcan list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.
admincan list all people
org-admincan list people in their organisation

Create (new person)

Post /api/people/

RoleCan
anonCan create one person by registering with a valid identity
allcannot create people
testerCan create new people
adminCan create new people
org-adminCan create a list of new people from an uploaded data set.

Read (single person)

GET /api/people/:id

RoleCan
anonNo
allCan browse a person's profile page but with contact details removed
vpcan be indirectly provided with contact details for a vp via an interested record in invited state
opCan browse a person's full profile page if they are in the same organisation
apCan browse a person's full profile page if they are in the same organisation
adminfull access
org-adminCan browse a person's full profile page if they are in the same organisation
ownerThe person matching the person ID can see all their profile details.

Update

PUT /api/people/:id

RoleCan
anonno access
allno access to change people records
admincan update person's record
org-admincan update person's record
ownercan update their own record

Delete

DELETE /api/people/:id

Usually delete will not delete the record from the database but will mark it as unavailable.

RoleCan
anonno access
allno access
adminCan delete a person, this will maintain the person_id record but replace all the PID information (email, name, avatar)  with anonymised placeholders so that historical records still work.
org-admincan mark person as no longer in the organisation but not remove them.
ownerA person can resign from the site and this will delete them as above for an admin.



## Create
Person - Created when new person signs in - All
Opportunity - all - but only into draft mode. May require org-admin approval to set active state
Activity - ap,
Organisation - Admin
Interest - vp
tag - all

## Read
Person - All
Opportunity - All+anon except in Draft mode - then only op-provider (op) and org-admin
Activity - All+anon except in Draft mode - then only activity-provider (ap) and org-admin

## Update
## Delete
In most cases Delete paths should be only available to Admin ( and some API keyholders)
Also in most cases Delete should not remove a document but move it into a new state, or collection.

Opportunities

List

GET /api/opportunities

RoleCan
anoncan list ops with restrictions - (active, near future, and returns Card level info, no details). To see more they have to sign in.
allcan list published ops and see full details ( published includes active and completed )
admincan list ops in all states
org-admincan list published and draft ops created by people in their org

Create

POST /api/opportunities

RoleCan
anoncannot list people
allcan list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.
vpcan create opportunities of the 'offer' type
op

can create opportunities of the 'request' type into draft state but may require org-admin permission to move to active.

org is fixed to org of owner

admincan create anything
org-admincan create ops and move draft ops to published.

Read

GET /api/opportunities/:id

RoleCan
anoncan see full details of the op, (must be active state) need to sign in to express interest
allcan see full details of the active and completed ops
admincan see full details of ops in all states
org-admincan see full details of ops in all states for ops created by people in their org.
ownercan see full details of ops they own

Update

PUT /api/opportunities/:id

RoleCan
anonno access
allcan list people matching criteria and get limited info back. ( name, avatar and skills/interest ) but not contact details.
admincan update ops including state change
org-admincan update ops including state change for ops created by people in their org
ownercan update their own ops. cannot change org,

Delete

DELETE /api/opportunities/:id

RoleCan
anonno access
allno access
admincan remove a record by putting it into archived collection
org-admincan remove a record by putting it into archived collection for their org
ownercan change state to 'closed'


Activities

List

GET /api/activities

RoleCan
anoncan list if active
allcan list if active
admincan list all
org-admincan list all where ap is in org
ap (owner)can list all they are owner for

Create

POST api/activity

RoleCan
anonno access
vpno access
opno access
apcan create new activity record
admincan create new activity record
org-admincan act as ap for person in their org

Read

GET api/activity/:id

RoleCan
anoncan view details if state is active
allcan view details if state is active
admincan see all
org-admincan emulate ap for people in their org, can see draft acts.
ap (owner)can view details in all states.

Update

PUT api/activity/:id

RoleCan
anonno access
allno access
vpno access
opno access
ap (owner)can update acts they are owner for
admincan update
org-admincan act as ap for acts in their org

Delete

DELETE api/activity/:id

RoleCan
anonno access
allno access
admincan delete
org-admin (owner org)no access, can put into closed state (via Update)
ap (owner)no access, can put into closed state (via Update)



Organisations

Organisation information is essentially public, everyone can read except for the info section which depends on membership status.

Note - in the medium term we do not need to block info fields from the API. We will communicate to orgAdmins that the content is not strictly private and should only contain summary information and links to internal web pages.

List

GET /api/organisations

RoleCan
anonList all organisations, all fields
vpList all organisations, all fields
opList all organisations, all fields
apList all organisations, all fields
resource providerList all organisations, all fields
adminList all organisations, all fields
org-adminList all organisations, all fields

Read

GET /api/organisations/:id

RoleCan
anonRead the entity and all fields
vpRead the entity and all fields
opRead the entity and all fields
apRead the entity and all fields
resource providerRead the entity and all fields
adminRead the entity and all fields
org-adminRead the entity and all fields

Create

POST /api/organisations

RoleCan
anonNo access
vpNo access
opNo access
apNo access
resource providerNo access
adminCan create new organisation
org-adminNo access

Update

PUT /api/organisations/:id

RoleCan
anonNo access
vpNo access
opNo access
apNo access
adminCan update all fields
org-admin
  • Can update all fields for the organisation they administer except category
  • No access to other organisations

Delete

Only system admins can delete an organisation. This should be a rare event as it will leave all the assets linked to the organisation dangling. i.e Ops.offerOrg,  Member.organisation etc.

DELETE /api/organisations/:id

RoleCan
anonNo access
vpNo access
opNo access
apNo access
adminCan delete
org-adminNo access




  • No labels