Security ctd

1. Profiles and permissions are set in the interface. This includes setting which fields have permissions to be viewed, edited, deleted or created..

2. All routes are connected to specific profiles and an authorisation check is included every time.

3. All fields are validated as required on every request. 

4. Resources ensure that only fields that a profile has access to can be sent from the site.

5. Data that is ‘owned’ by particular profiles has additional checks to ensure they can only access / edit their own data unless explicit permission has been given

6. Profiles can be set to manage other profile types as well as being able to assume the role of another profile

 

Additional authorisation flexibility can be built into the data level.