RoleGuardMiddleware
Component Detail
Description
Intercepts navigation and API requests to enforce role-based access boundaries across the mobile app and admin portal. It resolves the effective role of the current user, applies context-specific rules (e.g. Organisation Admin surfaces as Coordinator on mobile), and blocks or redirects requests that exceed the user's permitted access scope. Support access grants for Global Admins are validated for time-boundedness and audit-logged on each use.
role-guard-middleware
Sources & reasoning
Line 322 places the two mobile role profiles explicitly in Phase 1 / MVP scope. Lines 254-259 define all four roles with their access boundaries. RBAC is prerequisite to every other feature - without it, sessions have no access scope. Blueprint confirms MVP. Phase 1 = MVP by ordinal mapping.
-
docs/source/likeperson.md · line 254-2564 defined user roles: Peer Mentor (Likeperson): Creates and tracks activities and follow-ups. Logs in to the Mobile App only.
-
docs/source/likeperson.md · line 3222 mobilrolle-profiler: Peer Mentor, Coordinator (Organization Admins logger på som Coordinator i app-konteksten)
Responsibilities
- Resolve the effective role for the current session, applying mobile-specific role mapping rules
- Evaluate whether the requested screen or endpoint is permitted for the resolved role
- Redirect Global Admins to NoAccessScreen when mobile access is attempted
- Validate and enforce time-bounded support access grants for Global Admins on the admin portal
- Emit an audit log entry for every access decision involving elevated or support-grant permissions
Interfaces
evaluateAccess(userId: string, resource: string, context: AccessContext): AccessDecision
resolveEffectiveRole(userId: string, platform: Platform): UserRole
validateSupportGrant(grantId: string, orgId: string): SupportGrantValidity
logAccessEvent(event: AccessAuditEvent): void