Authorization & Roles
DailyDesk implements Role-Based Access Control (RBAC) to manage user permissions across the platform.
User Roles
The system defines four primary roles, shared across the frontend and backend:
1. SUPERADMIN
- Code Value:
SUPERADMIN - Description: Platform-level administrator with unrestricted access.
- Key Capabilities:
- Manage Salons: Can create, update, and delete salon entities (
SalonsController). - User Management: Can manage users across all salons.
- System Config: Full access to global settings.
- Manage Salons: Can create, update, and delete salon entities (
2. MANAGER
- Code Value:
MANAGER - Description: The primary administrator for a specific Salon.
- Key Capabilities:
- Salon Management: Can update settings for their assigned salon (
@Roles(RoleEnum.MANAGER)). - Ticket Management: Full control over the turn queue and appointments (
TicketsController). - Staff Management: Can manage Receptionists and Technicians within their salon.
- Salon Management: Can update settings for their assigned salon (
3. RECEPTIONIST
- Code Value:
RECEPTIONIST - Description: Operational staff responsible for the front desk.
- Key Capabilities:
- Ticket Management: Can create, update, and cancel tickets (
@Roles(RoleEnum.MANAGER, RoleEnum.RECEPTIONIST)). - View Queue: Real-time view of the salon's turn queue.
- Limited Access: Cannot modify salon settings or manage other users.
- Ticket Management: Can create, update, and cancel tickets (
4. TECHNICIAN
- Code Value:
TECHNICIAN - Description: Service providers.
-
Key Capabilities:
- View Assignments: Can view tickets assigned to them.
- Status Updates: Typically limited to updating the status of their current service interactions.
[!NOTE] Dependent Authentication: Technicians do not have a standalone login (checking in from a fresh browser session). They log in via a Shared Device Flow: 1. A
MANAGERorRECEPTIONISTmust first authenticate the device/browser. 2. The Technician then uses the "Technician Login" screen, entering theirtechIdand numericalcode(PIN) to switch the active context. 3. This verifies their identity against the active Salon session.
Implementation Details
Backend
Authorization is enforced using NestJS Guards and Decorators:
@UseGuards(JWTAuthGuard): Ensures the user is authenticated.@Roles(...): Restricts endpoints to specific roles.- Example:
@Roles(RoleEnum.MANAGER)onPATCH /salons/:idensures only Managers can update salon details.
- Example:
Frontend (UI Permissions)
The React application enforces permissions via Route Guards (App.js) and Component-Level Logic.
1. Route Access
| Page / Route | SUPERADMIN | MANAGER | RECEPTIONIST | TECHNICIAN |
|---|---|---|---|---|
| Home | ✅ | ✅ | ✅ | ✅ |
Users (/users) |
✅ | ✅ | ✅ | ❌ |
Services (/services) |
✅ | ✅ | ❌ | ❌ |
Salons (/salon) |
✅ | ✅ (View Only) | ❌ | ❌ |
Sales (/sales) |
✅ | ✅ | ❌ | ❌ |
Settings (/settings) |
✅ | ✅ | ❌ | ❌ |
Messages (/messages) |
✅ | ✅ | ❌ | ❌ |
Help (/help) |
✅ | ✅ | ✅ | ✅ |
2. Functional Restrictions
- Salon Management:
- Create/Edit/Delete: Restricted to
SUPERADMINonly (Salon.js). Managers can view the list but cannot modify entities.
- Create/Edit/Delete: Restricted to
- User Management:
- Admins: Only
SUPERADMINcan view the "Admins" tab in the Users list. - Scope:
MANAGERandRECEPTIONISTare strictly scoped to creating/editing users within their own salon (UserForm.js).
- Admins: Only
- FAQ / Content:
- Edit FAQ: Restricted to
SUPERADMINandMANAGER(Help.js).
- Edit FAQ: Restricted to