Skip to content

Commit 6e43ef5

Browse files
jbousejbouse
committed
feat: add notes for Contact PII Access Control and proposed approach for permissions
1 parent 0f01e66 commit 6e43ef5

1 file changed

Lines changed: 41 additions & 0 deletions

File tree

NOTES.md

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
# Notes: Contact PII Access Control
2+
3+
Context: Email and cellphone are sensitive PII. We want controlled access to view and edit these fields without breaking existing workflows.
4+
5+
Proposed approach:
6+
7+
1) Separate permissions for view vs edit
8+
- `canViewContactInfo`: can read email/cellphone
9+
- `canEditContactInfo`: can modify email/cellphone
10+
- Invariant: `canEditContactInfo` should imply `canViewContactInfo` to avoid a confusing UX.
11+
12+
2) UI behavior
13+
- If `!canViewContactInfo`: render a "Restricted" placeholder or masked value instead of the actual data.
14+
- If `!canEditContactInfo` but `canViewContactInfo`: render read-only or disabled inputs.
15+
- Avoid the combo `!canViewContactInfo && canEditContactInfo`. If required, use an explicit "Replace" workflow with empty inputs.
16+
17+
3) Update flow (client)
18+
- When user lacks edit access, omit `email` and `cellphone` from update payloads.
19+
- Prefer PATCH with only changed fields to avoid overwriting protected data.
20+
21+
4) Server enforcement
22+
- Server must be the source of truth for both view and edit.
23+
- If user lacks view access, server should return null/omitted fields.
24+
- If user lacks edit access, server should ignore or reject updates for those fields.
25+
26+
5) Feature flags
27+
- Use LaunchDarkly flags only for rollout/visibility, not for security.
28+
- Keep permissions authoritative; flags can enable UI changes gradually.
29+
30+
Server Team Checklist (for acceptance criteria)
31+
- Define permissions/roles that map to `canViewContactInfo` and `canEditContactInfo`.
32+
- Response shaping: omit or null `email`/`cellphone` when view is denied.
33+
- Update behavior: reject or ignore `email`/`cellphone` updates when edit is denied.
34+
- Partial update support: prefer PATCH semantics to avoid overwriting fields unintentionally.
35+
- Audit logging: record access to PII fields (read and write) if required by policy.
36+
- Error semantics: define consistent error codes/messages for denied edits.
37+
- Tests: ensure no privilege escalation by crafted requests.
38+
39+
Deferred:
40+
- Actual implementation changes to `ContactInfoField` and update handlers.
41+
- API adjustments for field-level permissions and response filtering.

0 commit comments

Comments
 (0)