Bufdir Role Guard
Component Detail
Infrastructure
low complexity
Shared Component
backend
1
Dependencies
0
Dependents
3
Entities
0
Integrations
Description
Infrastructure middleware enforcing that only Org Admin users can access Bufdir report generation endpoints and pages. Integrates with the platform Role Guard Service to check user_organization_roles before allowing any aggregation or export operation.
bufdir-role-guard
Sources & reasoning
Role restriction to Org Admin is explicitly required in the implementation notes and matches the platform-wide access boundary described in the source. Coordinators and Peer Mentors must never reach the Bufdir export surface.
No source references — this artifact was included based on reasoning alone (see above).
Responsibilities
- Block access to Bufdir report endpoints for non-Org-Admin roles
- Validate org membership and admin role in the same request
- Return standardized 403 response for unauthorized access attempts
- Log unauthorized access attempts to audit log
Interfaces
requireOrgAdmin(req: Request, res: Response, next: NextFunction): void
validateOrgMembership(userId: string, orgId: string): Promise<boolean>
Relationships
Related Data Entities (3)
Data entities managed by this component