# Form Access Control ## Overview The form execution system now includes comprehensive access control that determines whether users can edit or only view forms based on their assignments and roles. ## How It Works ### Access Validation When a user accesses a form in a process execution, the system checks: 1. **Direct Task Assignment**: If the task is directly assigned to the current user 2. **Process Definition Assignment**: If the form node in the process has specific user/role assignments 3. **Default Access**: If no specific assignment is found, defaults to public access ### Assignment Types The system supports the following assignment types for forms: #### 1. Public Assignment (`assignmentType: 'public'`) - **Access**: Anyone can edit the form - **Behavior**: Full edit access for all users #### 2. User Assignment (`assignmentType: 'users'`) - **Access**: Only specific users can edit the form - **Check**: Current user ID or email must be in `assignedUsers` array - **Example**: ```json { "assignmentType": "users", "assignedUsers": [ { "value": "123", "label": "John Doe (john.doe)", "username": "john.doe" } ] } ``` #### 3. Role Assignment (`assignmentType: 'roles'`) - **Access**: Only users with specific roles can edit the form - **Check**: Current user's roles must match `assignedRoles` array - **Example**: ```json { "assignmentType": "roles", "assignedRoles": [ { "value": "2", "label": "Manager" } ] } ``` #### 4. Variable Assignment (`assignmentType: 'variable'`) - **Access**: Dynamic assignment based on process variables - **Behavior**: Currently allows access (future enhancement needed) ## User Experience ### Edit Access Users with edit access see: - Green "Edit Access" badge - Fully functional form inputs - Submit buttons enabled - Conditional logic active ### Read-only Access Users without edit access see: - Yellow "Read-only Access" badge with warning icon - Disabled form inputs with gray styling - Submit buttons disabled - Clear explanation of why access is restricted - Form data is visible but not editable ### Visual Indicators #### Tab Navigation - Warning icon next to form names for read-only forms - Visual distinction between editable and read-only forms #### Form Header - Access status badges (Edit Access / Read-only Access) - Detailed explanation for read-only access - Color-coded indicators (green for edit, yellow for read-only) #### Form Fields - Disabled styling for read-only inputs - Reduced opacity for entire form when disabled - Cursor changes to "not-allowed" for disabled fields ## API Changes ### Enhanced Response The `/api/cases/[id]/forms` endpoint now returns additional access control information: ```json { "forms": [ { "formID": 123, "formName": "Example Form", "hasEditAccess": true, "accessReason": "user_assigned", "assignmentType": "users" } ] } ``` ### Access Control Fields - `hasEditAccess`: Boolean indicating if user can edit the form - `accessReason`: String explaining the access decision - `assignmentType`: The type of assignment configured for the form ## Security Considerations ### Authentication Required - All form access requires valid authentication - User context is validated on every request ### Role-based Validation - User roles are fetched from database - Role assignments are validated against current user's roles ### Assignment Validation - Direct task assignments are checked first - Process definition assignments are validated - Fallback to public access if no assignment found ## Implementation Details ### Backend Changes - Enhanced `/api/cases/[id]/forms` endpoint with access validation - User role fetching and validation - Assignment type checking logic ### Frontend Changes - Readonly mode for forms without edit access - Visual indicators for access status - Disabled form submission for read-only forms - Conditional logic disabled for read-only forms ### Form Behavior - FormKit forms are disabled when user lacks edit access - All form inputs are set to readonly/disabled - Submit buttons are disabled - Conditional logic scripts are not executed ## Configuration ### Setting Up Form Assignments 1. **Open Process Builder** - Navigate to the process you want to configure 2. **Select Form Node** - Click on the form node in your process 3. **Configure Assignment** - In the form configuration modal: - Choose assignment type (Public, Users, Roles, or Variable) - Select specific users or roles as needed - Save the configuration ### Example Process Configuration ```json { "nodes": [ { "id": "form-1", "type": "form", "data": { "label": "Manager Approval Form", "formId": "123", "assignmentType": "roles", "assignedRoles": [ { "value": "2", "label": "Manager" }, { "value": "3", "label": "Supervisor" } ] } } ] } ``` ## Troubleshooting ### No Access to Forms If a user can't edit forms: 1. **Check User Roles** - Verify the user has the correct roles assigned 2. **Check Form Assignment** - Ensure the form node has proper assignment configuration 3. **Check Process Status** - Process must be published and not deleted 4. **Check Assignment Type** - Verify the assignment type is configured correctly ### Debug Information The API endpoint includes console logging for debugging: ```javascript // User information console.log('Current user ID:', currentUser.userID); console.log('User roles:', userRoleNames); // Assignment checks console.log('Checking form access:', {...}); console.log('Access result:', accessCheck); ``` ## Future Enhancements - Variable-based assignment evaluation - Time-based access control - Conditional access based on form data - Audit logging for access attempts - Advanced permission inheritance