Skip to content

Commit 35f3d5e

Browse files
fullenifulleni
committed
refactor(registry): Disable user creation/deletion via data API
Updated the `ModelConfig` for the `user` model to mark `POST` (create) and `DELETE` operations as `RequiredPermissionType.unsupported`. This change enforces that user lifecycle management is handled exclusively by the authentication service, not the generic data endpoint. Added comments to clarify the update logic flow.
1 parent f2849ca commit 35f3d5e

File tree

1 file changed

+13
-18
lines changed

1 file changed

+13
-18
lines changed

lib/src/registry/model_registry.dart

Lines changed: 13 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -281,33 +281,28 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
281281
requiresOwnershipCheck: true, // Must be the owner
282282
requiresAuthentication: true,
283283
),
284-
// Admins can create users via the data endpoint.
285-
// User creation via auth routes (e.g., sign-up) is separate.
284+
// User creation is handled exclusively by the authentication service
285+
// (e.g., during sign-up) and is not supported via the generic data API.
286286
postPermission: const ModelActionPermission(
287-
type: RequiredPermissionType.specificPermission,
288-
permission: Permissions.userCreate,
289-
requiresAuthentication: true,
287+
type: RequiredPermissionType.unsupported,
290288
),
291-
// An admin can update any user's roles.
292-
// A regular user can update specific fields on their own profile
293-
// (e.g., feedDecoratorStatus), which is handled by the updater logic
294-
// in DataOperationRegistry. The ownership check ensures they can only
295-
// access their own user object to begin with.
289+
// User updates are handled by a custom updater in DataOperationRegistry.
290+
// - Admins can update roles (`appRole`, `dashboardRole`).
291+
// - Users can update their own `feedDecoratorStatus` and `email`.
292+
// The `userUpdateOwned` permission, combined with the ownership check,
293+
// provides the entry point for both admins (who bypass ownership checks)
294+
// and users to target a user object for an update.
296295
putPermission: const ModelActionPermission(
297296
type: RequiredPermissionType.specificPermission,
298297
permission: Permissions.userUpdateOwned, // User can update their own
299298
requiresOwnershipCheck: true, // Must be the owner
300299
requiresAuthentication: true,
301300
),
302-
// An admin can delete any user.
303-
// A regular user can delete their own account.
304-
// The ownership check middleware is bypassed for admins, so this single
305-
// config works for both roles.
301+
// User deletion is handled exclusively by the authentication service
302+
// (e.g., via a dedicated "delete account" endpoint) and is not
303+
// supported via the generic data API.
306304
deletePermission: const ModelActionPermission(
307-
type: RequiredPermissionType.specificPermission,
308-
permission: Permissions.userDeleteOwned, // User can delete their own
309-
requiresOwnershipCheck: true, // Must be the owner
310-
requiresAuthentication: true,
305+
type: RequiredPermissionType.unsupported,
311306
),
312307
),
313308
'user_app_settings': ModelConfig<UserAppSettings>(

0 commit comments

Comments
 (0)