Skip to content

Allow providers to edit and delete users they have access to #894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rchlfryn wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Allow providers to edit and delete users they have access to #894

rchlfryn wants to merge 4 commits into from

Conversation

@rchlfryn
Copy link
Collaborator

@rchlfryn rchlfryn commented Jan 27, 2026
edited
Loading

Description

As mentioned, we want to give a provider manager permission to:

  • read any user with a providers relationship
  • edit/delete that is not associated with an avy center

Related Issues

Resolves #834

Key Changes

Changed permissions for provider managers on users collection and add beforeChange and beforeDelete hooks

How to test

  • Log in as provider manager
  • Navigate to users
  • Select user with checkmark
  • See options to Edit and Delete

Screenshots / Demo video

https://www.loom.com/share/9a79a65e6cec4e35888171620ed448e4

Migration Explanation

None

@rchlfryn rchlfryn self-assigned this Jan 27, 2026
@github-actions
Copy link

github-actions bot commented Jan 27, 2026

Preview deployment: https://a3-permissions.preview.avy-fx.org

@rchlfryn rchlfryn requested a review from busbyk January 27, 2026 04:39
busbyk
busbyk requested changes Jan 28, 2026
View reviewed changes
Copy link
Collaborator

@busbyk busbyk left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change would allow a provider manager to delete/edit any user with a provider relationship regardless of that user's roles or global roles.

This is an issue because we currently have some Sierra admin users with provider relationships to the Sierra Avalanche Center provider in production. So this change would allow a provider manager user to delete a Sierra admin user. Which shouldn't be allowed.

I think what we want is logic that says: a provider manager can:

  • read any user with a providers relationship
  • edit/delete any user with only a provider relationship and no roles or global roles

Maybe we go to the field level and allow a provider manager to edit a user's providers relationship field if that user already has a provider relationship but that might not be worth it.

Test by adding a providers relationship to a tenant-admin user in the local seed data. The provider manager user can then delete that user.

@rchlfryn
Copy link
Collaborator Author

rchlfryn commented Jan 29, 2026
edited
Loading

I think what we want is logic that says: a provider manager can:

  • read any user with a providers relationship
  • edit/delete any user with only a provider relationship and no roles or global roles

I am not sure if there is a way we can do this at the access level, since the data being deleted/edited is not available to look at. I added 2 hooks to the user collection to check the user being edited or deleted and not let a provider manager delete a user associated with an avy center.

Is there another way to do this?

@rchlfryn rchlfryn requested a review from busbyk January 29, 2026 00:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@busbyk busbyk Awaiting requested review from busbyk

Requested changes must be addressed to merge this pull request.

Assignees

@rchlfryn rchlfryn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow A3 Provider Manager to edit/delete Provider Users

3 participants

@rchlfryn @busbyk