Authorization
Overview
Section titled “Overview”Authorization is ownership-based. There are no admin roles. Users can only modify resources they own.
| Resource | Action | Allowed |
|---|---|---|
| Event/Gig | Create | Any authenticated user |
| Event/Gig | Read | Any authenticated user |
| Event/Gig | Update | Creator only |
| Event/Gig | Delete | Creator only |
| Application | Create (apply) | Any authenticated user (not the gig owner) |
| Application | Read (list) | Gig owner sees all; applicant sees their own |
| Application | Update status | Gig owner only |
| Collection | Create | Any authenticated user |
| Collection | Read | Owner always; others only if visibility is PUBLIC |
| Collection | Update | Owner only |
| Collection | Delete | Owner only |
| Conversation | All | Owner only |
| Notification | Read/update | Recipient only |
Scenarios
Section titled “Scenarios”S-AUTHZ-1: Owner updates their event
Section titled “S-AUTHZ-1: Owner updates their event”GIVEN user A created event EWHEN user A sends PATCH /events/ETHEN the event is updatedS-AUTHZ-2: Non-owner cannot update event
Section titled “S-AUTHZ-2: Non-owner cannot update event”GIVEN user A created event EWHEN user B sends PATCH /events/ETHEN the API responds with 403 ForbiddenS-AUTHZ-3: Non-owner cannot delete event
Section titled “S-AUTHZ-3: Non-owner cannot delete event”GIVEN user A created event EWHEN user B sends DELETE /events/ETHEN the API responds with 403 ForbiddenS-AUTHZ-4: Gig owner cannot apply to own gig
Section titled “S-AUTHZ-4: Gig owner cannot apply to own gig”GIVEN user A created gig GWHEN user A sends POST /gigs/G/applicationsTHEN the API responds with 403 ForbiddenS-AUTHZ-5: Gig owner views all applications
Section titled “S-AUTHZ-5: Gig owner views all applications”GIVEN user A created gig G with 3 applicationsWHEN user A sends GET /gigs/G/applicationsTHEN the response contains all 3 applicationsS-AUTHZ-6: Non-owner cannot view gig applications
Section titled “S-AUTHZ-6: Non-owner cannot view gig applications”GIVEN user A created gig GWHEN user B (not an applicant) sends GET /gigs/G/applicationsTHEN the API responds with 403 ForbiddenS-AUTHZ-7: Applicant views own application
Section titled “S-AUTHZ-7: Applicant views own application”GIVEN user B applied to gig G owned by user AWHEN user B sends GET /gigs/G/applicationsTHEN the response contains only user B's applicationS-AUTHZ-8: Only gig owner updates application status
Section titled “S-AUTHZ-8: Only gig owner updates application status”GIVEN user A created gig GAND user B applied to gig GWHEN user B sends PATCH /gigs/G/applications/app1THEN the API responds with 403 ForbiddenS-AUTHZ-9: Public collection visible to others
Section titled “S-AUTHZ-9: Public collection visible to others”GIVEN user A has a collection with visibility PUBLICWHEN user B sends GET /collections/:idTHEN the response contains the collection and its itemsS-AUTHZ-10: Private collection hidden from others
Section titled “S-AUTHZ-10: Private collection hidden from others”GIVEN user A has a collection with visibility PRIVATEWHEN user B sends GET /collections/:idTHEN the API responds with 404 Not Found