User Permissions Reference
This document details the available permissions in the system and the actions they control.
The system uses Role-Based Access Control (RBAC) enforced via the @Permissions() decorator.
Permissions List
| Permission Constant | Description | Key Modules/Endpoints |
|---|---|---|
MANAGE_USERS | Full control over user accounts (non-admin). | UsersController, Auth |
MANAGE_DEVICES | Create, update, delete devices and their configurations. | devices, device-config |
MANAGE_CONTENT | Manage synagogue content (Shiurim, Messages, Halachic Times). | Shior, GeneralMessage, Zmanim |
MANAGE_ALERTS | Configure alert rules and monitor alerts. | AlertRules |
MANAGE_REMOTE_CONTROL | Send remote commands to Android TV devices (Reset, Screen Off). | RemoteControl |
MANAGE_REPORTS | Generate and download system reports. | Reports |
MANAGE_NOTIFICATIONS | Configure notification preferences and scheduling. | Notifications |
MANAGE_WHATSAPP | Connect WhatsApp sessions, send messages, manage templates. | WhatsappController |
MANAGE_EMAIL_CONFIG | Configure SMTP settings. | EmailConfig |
MANAGE_SMS_CONFIG | Configure SMS provider settings. | SmsConfig |
MANAGE_SYSTEM | High-level system ops: Backups, Logs, Updates. | SystemController |
SYSTEM_CONFIG_READ | Read-only access to system configuration. | SystemController (GET) |
SYSTEM_CONFIG_WRITE | Modify system configuration entries. | SystemController (PUT) |
VIEW_DASHBOARD | Access the main dashboard statistics. | Dashboard |
VIEW_ANALYTICS | Access detailed analytics modules. | Analytics |
VIEW_SYSTEM_HEALTH | Monitor system health status. | Health |
VIEW_SYSTEM_METRICS | View low-level metrics (CPU/RAM). | Telemetry |
Usage in Code
To protect a controller or a specific endpoint, use the @Permissions decorator:
// Protect entire controller
@Controller('devices')
@Permissions(Permission.MANAGE_DEVICES)
export class DevicesController {}
// Protect specific method
@Get('backup')
@Permissions(Permission.MANAGE_SYSTEM)
createBackup() {}
Admin Bypass
Users with isAdmin: true or role: 'Admin' automatically bypass all permission checks unless explicitly handled within the service logic (like Tenant isolation for impersonation).