girikuncoro/cageur

Prohibit clinic permission to access other clinic data

Closed this issue · 3 comments

girikuncoro commented

Some other TODOs as follow up from #90 :

  • Right now clinic group can access all clinic data (not only his/her data but also other clinics)
  • All tests are broken since we added auth
  • Must add some hardcoded "super ultra admin" (input to db manually or through ENV) to generate user data (this user data requires 'superadmin' level permission)
  • Line webhook must have superadmin permission

Clinic level permission that has to be protected:

  • patient
  • patient disease group
  • message send
  • message sent
  • message schedule
  • message analytics

cc @tororudy

gutasaputra commented

  1. ohya, i forgot to add role auth.
    it should be like this. clinic only can see his/her data.

  2. for this point, we can use role data from db giri.

  • 👍1
girikuncoro commented

For line webhook auth:

Signature validation

The signature in the X-Line-Signature request header must be verified to confirm that the request was sent from the LINE Platform.

Authentication is performed as follows.

With the Channel secret as the secret key, your application retrieves the digest value in the request body created using the HMAC-SHA256 algorithm.
The server confirms that the signature in the request header matches the digest value which is Base64 encoded.

https://devdocs.line.me/en/#webhooks

girikuncoro commented

the broken testing is addressed in #106