corrad-software/corrad-bp
9
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
corrad-bp/docs/process-execution/ACCESS_CONTROL.md

5.8 KiB
Raw Blame History

Form Access Control

Overview

The form execution system now includes comprehensive access control that determines whether users can edit or only view forms based on their assignments and roles.

How It Works

Access Validation

When a user accesses a form in a process execution, the system checks:

  1. Direct Task Assignment: If the task is directly assigned to the current user
  2. Process Definition Assignment: If the form node in the process has specific user/role assignments
  3. Default Access: If no specific assignment is found, defaults to public access

Assignment Types

The system supports the following assignment types for forms:

1. Public Assignment (assignmentType: 'public')

  • Access: Anyone can edit the form
  • Behavior: Full edit access for all users

2. User Assignment (assignmentType: 'users')

  • Access: Only specific users can edit the form
  • Check: Current user ID or email must be in assignedUsers array
  • Example:
{
  "assignmentType": "users",
  "assignedUsers": [
    {
      "value": "123",
      "label": "John Doe (john.doe)",
      "username": "john.doe"
    }
  ]
}

3. Role Assignment (assignmentType: 'roles')

  • Access: Only users with specific roles can edit the form
  • Check: Current user's roles must match assignedRoles array
  • Example:
{
  "assignmentType": "roles",
  "assignedRoles": [
    {
      "value": "2",
      "label": "Manager"
    }
  ]
}

4. Variable Assignment (assignmentType: 'variable')

  • Access: Dynamic assignment based on process variables
  • Behavior: Currently allows access (future enhancement needed)

User Experience

Edit Access

Users with edit access see:

  • Green "Edit Access" badge
  • Fully functional form inputs
  • Submit buttons enabled
  • Conditional logic active

Read-only Access

Users without edit access see:

  • Yellow "Read-only Access" badge with warning icon
  • Disabled form inputs with gray styling
  • Submit buttons disabled
  • Clear explanation of why access is restricted
  • Form data is visible but not editable

Visual Indicators

Tab Navigation

  • Warning icon next to form names for read-only forms
  • Visual distinction between editable and read-only forms

Form Header

  • Access status badges (Edit Access / Read-only Access)
  • Detailed explanation for read-only access
  • Color-coded indicators (green for edit, yellow for read-only)

Form Fields

  • Disabled styling for read-only inputs
  • Reduced opacity for entire form when disabled
  • Cursor changes to "not-allowed" for disabled fields

API Changes

Enhanced Response

The /api/cases/[id]/forms endpoint now returns additional access control information:

{
  "forms": [
    {
      "formID": 123,
      "formName": "Example Form",
      "hasEditAccess": true,
      "accessReason": "user_assigned",
      "assignmentType": "users"
    }
  ]
}

Access Control Fields

  • hasEditAccess: Boolean indicating if user can edit the form
  • accessReason: String explaining the access decision
  • assignmentType: The type of assignment configured for the form

Security Considerations

Authentication Required

  • All form access requires valid authentication
  • User context is validated on every request

Role-based Validation

  • User roles are fetched from database
  • Role assignments are validated against current user's roles

Assignment Validation

  • Direct task assignments are checked first
  • Process definition assignments are validated
  • Fallback to public access if no assignment found

Implementation Details

Backend Changes

  • Enhanced /api/cases/[id]/forms endpoint with access validation
  • User role fetching and validation
  • Assignment type checking logic

Frontend Changes

  • Readonly mode for forms without edit access
  • Visual indicators for access status
  • Disabled form submission for read-only forms
  • Conditional logic disabled for read-only forms

Form Behavior

  • FormKit forms are disabled when user lacks edit access
  • All form inputs are set to readonly/disabled
  • Submit buttons are disabled
  • Conditional logic scripts are not executed

Configuration

Setting Up Form Assignments

  1. Open Process Builder - Navigate to the process you want to configure
  2. Select Form Node - Click on the form node in your process
  3. Configure Assignment - In the form configuration modal:
    • Choose assignment type (Public, Users, Roles, or Variable)
    • Select specific users or roles as needed
    • Save the configuration

Example Process Configuration

{
  "nodes": [
    {
      "id": "form-1",
      "type": "form",
      "data": {
        "label": "Manager Approval Form",
        "formId": "123",
        "assignmentType": "roles",
        "assignedRoles": [
          {
            "value": "2",
            "label": "Manager"
          },
          {
            "value": "3", 
            "label": "Supervisor"
          }
        ]
      }
    }
  ]
}

Troubleshooting

No Access to Forms

If a user can't edit forms:

  1. Check User Roles - Verify the user has the correct roles assigned
  2. Check Form Assignment - Ensure the form node has proper assignment configuration
  3. Check Process Status - Process must be published and not deleted
  4. Check Assignment Type - Verify the assignment type is configured correctly

Debug Information

The API endpoint includes console logging for debugging:

// User information
console.log('Current user ID:', currentUser.userID);
console.log('User roles:', userRoleNames);

// Assignment checks
console.log('Checking form access:', {...});
console.log('Access result:', accessCheck);

Future Enhancements

  • Variable-based assignment evaluation
  • Time-based access control
  • Conditional access based on form data
  • Audit logging for access attempts
  • Advanced permission inheritance