Hierarchy Authorization Guard - Meander - Peer Mentor Platform

Service Layer medium complexity backend

Dependencies

Dependents

Entities

Integrations

Description

Enforces level-scoped access control for all hierarchy management operations. Ensures that admins can only create, update, or delete organizations within their own descendant scope - a regional admin cannot modify a national-level organization, and sibling organizations remain mutually inaccessible.

Feature: Multi-Organization Hierarchy

hierarchy-authorization-guard

Responsibilities

Resolve the requesting admin's organizational level and descendant scope from session context
Validate that the target organization falls within the admin's permitted scope
Block cross-sibling access to enforce data isolation between peer organizations
Integrate with the role-based access control system for role-level permission checks

Interfaces

canManageOrganization(adminUserId: string, targetOrgId: string): boolean

getAdminScope(adminUserId: string): OrgScope

assertScopeOrThrow(adminUserId: string, targetOrgId: string): void

isSiblingOrUnrelated(adminOrgId: string, targetOrgId: string): boolean

Relationships

Dependencies (1)

Components this component depends on

data Organization Hierarchy Repository

Dependents (2)

Components that depend on this component

ui Hierarchy Management Page service Hierarchy Service

Related Data Entities (1)

Data entities managed by this component

Organization 21 fields core