Implemented Incident Management API with RBAC and Attachment Support#237
Implemented Incident Management API with RBAC and Attachment Support#237Arshdeep225615024 wants to merge 11 commits intomainfrom
Conversation
uppalkrish
left a comment
uppalkrish
left a comment
There was a problem hiding this comment.
Please swagger documentations for your API's
|
Added swagger docs |
|
also share screenshot |
|
|
LoopyB
left a comment
LoopyB
left a comment
There was a problem hiding this comment.
Nice work on this - the incident flow, RBAC integration, and Swagger all look solid.
Just a couple of things to tighten before merge:
- In
updateIncident, it looks like guards can update fields likeseverityandstatus, and employers aren’t scoped to their own shifts here. - In
uploadAttachment, I couldn’t see an ownership / employer check — so it might allow uploads to incidents outside the user’s scope.
Once those are tightened, this should be good to go 👍
| }; | ||
|
|
||
| // UPDATE INCIDENT | ||
| export const updateIncident = async (req, res, next) => { |
There was a problem hiding this comment.
This needs tighter field-level and role-level checks.
Right now guards appear able to update severity and status on their own incidents because both fields are included in allowedFields, and employers do not seem to be scoped here to incidents belonging to shifts they created.
Could we restrict:
- guards to their own incident + limited fields (for example description only), and
- employers to incidents on their own shifts before allowing update?
| }; | ||
|
|
||
| // UPLOAD ATTACHMENT | ||
| export const uploadAttachment = async (req, res, next) => { |
There was a problem hiding this comment.
Can we add the same ownership / employer-scope checks here as well?
At the moment this checks that the incident exists, but I’m not seeing a guard ownership check or an employer “owns the related shift” check before the attachment is added. Since the route only requires incident:update, this looks like it could allow cross-incident uploads if someone has a valid incident ID.
|
@Arshdeep225615024 when can you fix this? |
|
I will finish this by tomorrow. |
|
I have made the required changes, can you please check once? |
3 participants
Overview:-
Implemented the Incident Management module for the SecureShift project, enabling guards to report incidents, employers to view them, and admins to manage them with role-based access control.
Features Implemented:-
Role-Based Access Control:-
Technical Details
Implemented RESTful APIs using Express.js
Used MongoDB with Mongoose for data modeling
Integrated JWT-based authentication
Applied RBAC using permission-based middleware (authorizePermissions)
Handled file uploads with Multer and local storage
Implemented soft delete using isDeleted flag
Testing
Tested all endpoints using Postman:
Guard workflow (apply → accept → create incident)
Employer workflow (create shift → approve guard → view incidents)
Admin permissions (update/delete)
Verified attachment upload and download functionality