Authorization
Overview
Section titled “Overview”Authorization is ownership-based with a persisted app role on each user. The default role is USER. ADMIN exists for operational actions only and does not bypass normal ownership checks for events, gigs, applications, collections, or conversations.
| Resource | Action | Allowed |
|---|---|---|
| Event/Gig | Create | Any authenticated user |
| Event/Gig | Read | Any authenticated user |
| Event/Gig | Update | Creator only |
| Event/Gig | Delete | Creator only |
| Application | Create (apply) | Any authenticated user (not the gig owner) |
| Application | Read (list) | Gig owner sees all; applicant sees their own |
| Application | Update status | Gig owner only |
| Collection | Create | Any authenticated user |
| Collection | Read | Owner always; others only if visibility is PUBLIC |
| Collection | Update | Owner only |
| Collection | Delete | Owner only |
| Conversation | All | Owner only |
| External ingestion sync | Trigger manual sync | ADMIN only |
Scenarios
Section titled “Scenarios”S-AUTHZ-1: Owner updates their event
Section titled “S-AUTHZ-1: Owner updates their event”GIVEN user A created event EWHEN user A sends PATCH /events/ETHEN the event is updatedS-AUTHZ-2: Non-owner cannot update event
Section titled “S-AUTHZ-2: Non-owner cannot update event”GIVEN user A created event EWHEN user B sends PATCH /events/ETHEN the API responds with 403 ForbiddenS-AUTHZ-3: Non-owner cannot delete event
Section titled “S-AUTHZ-3: Non-owner cannot delete event”GIVEN user A created event EWHEN user B sends DELETE /events/ETHEN the API responds with 403 ForbiddenS-AUTHZ-4: Gig owner cannot apply to own gig
Section titled “S-AUTHZ-4: Gig owner cannot apply to own gig”GIVEN user A created gig GWHEN user A sends POST /gigs/G/applicationsTHEN the API responds with 403 ForbiddenS-AUTHZ-5: Gig owner views all applications
Section titled “S-AUTHZ-5: Gig owner views all applications”GIVEN user A created gig G with 3 applicationsWHEN user A sends GET /gigs/G/applicationsTHEN the response contains all 3 applicationsS-AUTHZ-6: Non-owner cannot view gig applications
Section titled “S-AUTHZ-6: Non-owner cannot view gig applications”GIVEN user A created gig GWHEN user B (not an applicant) sends GET /gigs/G/applicationsTHEN the API responds with 403 ForbiddenS-AUTHZ-7: Applicant views own application
Section titled “S-AUTHZ-7: Applicant views own application”GIVEN user B applied to gig G owned by user AWHEN user B sends GET /gigs/G/applicationsTHEN the response contains only user B's applicationS-AUTHZ-8: Only gig owner updates application status
Section titled “S-AUTHZ-8: Only gig owner updates application status”GIVEN user A created gig GAND user B applied to gig GWHEN user B sends PATCH /gigs/G/applications/app1THEN the API responds with 403 ForbiddenS-AUTHZ-9: Public collection visible to others
Section titled “S-AUTHZ-9: Public collection visible to others”GIVEN user A has a collection with visibility PUBLICWHEN user B sends GET /collections/:idTHEN the response contains the collection and its itemsS-AUTHZ-10: Private collection hidden from others
Section titled “S-AUTHZ-10: Private collection hidden from others”GIVEN user A has a collection with visibility PRIVATEWHEN user B sends GET /collections/:idTHEN the API responds with 404 Not FoundS-AUTHZ-11: Non-admin cannot trigger manual external sync
Section titled “S-AUTHZ-11: Non-admin cannot trigger manual external sync”GIVEN user A is authenticated with role USERWHEN user A sends POST /admin/external-ingestion/syncTHEN the API responds with 403 ForbiddenS-AUTHZ-12: Admin can trigger manual external sync
Section titled “S-AUTHZ-12: Admin can trigger manual external sync”GIVEN user A is authenticated with role ADMINWHEN user A sends POST /admin/external-ingestion/syncTHEN the API responds with 200 OKAND the external sync service is invokedTest Cases
Section titled “Test Cases”See test-cases/auth/authorization.md for the full test case registry (TC-AUTHZ-001 through TC-AUTHZ-014), covering ownership checks across events, applications, collections, conversations, and the admin-only external sync trigger.