-
Notifications
You must be signed in to change notification settings - Fork 10
Security
drenfr01 edited this page Mar 5, 2015
·
5 revisions
I think to keep it simple we'll try whitelisting security. So basically apply 3 separate onBeforeActions, with each one corresponding to a different role (member, partnerAdmin, superAdmin).
As the title of this section suggests, this is done via IronRouter in the router.js file
This means that if you add a new route (roughly corresponding to a new template typically), you MUST whitelist it under the appropriate onBeforeAction function.
Likewise, if you add a new role you have to explicitly give it access to certain routes.
Hopefully this means that if we screw up, we'll screw by being overly restrictive.
- only group that can create admins
- can add points not tied to an event
- delete member
- see partner rollup
- multiple admin accounts
- approve unrecognized locations
Capabilities:
- see members (if member belongs to them)
- create events for themselves
- edit data (event participation, points, etc.)
- add / delete members
- can see attendance at events (RSVP's and actual)
- can edit hours, not points
- approve unrecognized events
- send email to user, or automatically generated when approve / reject
- delete member affiliation
all users are the same (no custom screens, data might be different) all users