# Access Control API

Manage user access to buildings and inspections within the Exit WeWeb Portal system.

The system uses dedicated tables to manage granular access control:

1. client_admin_building_access - Buildings accessible to client admins
2. client_manager_building_access - Buildings accessible to client managers
3. client_admin_inspection_access - Inspections accessible to client admins
4. client_manager_inspection_access - Inspections accessible to client managers

GET /client_admin_building_access

Query Parameters:

• admin_id - Filter by admin user (eq)
• building_id - Filter by building (eq, in)
• select - Include related data

Example:

GET /client_admin_building_access?admin_id=eq.UUID&select=*,buildings(name,city)

POST /client_admin_building_access
Content-Type: application/json

Request Body:

{
  "admin_id": "uuid",
  "building_id": 123,
  "assigned_by": "uuid",
  "assigned_at": "2025-01-22T10:00:00Z"
}

DELETE /client_admin_building_access?admin_id=eq.UUID&building_id=eq.123

GET /client_manager_building_access

Query Parameters:

• manager_id - Filter by manager user (eq)
• building_id - Filter by building (eq, in)
• select - Include related data

Example:

GET /client_manager_building_access?manager_id=eq.UUID&select=*,buildings(*)

POST /client_manager_building_access
Content-Type: application/json

Request Body:

{
  "manager_id": "uuid",
  "building_id": 123,
  "assigned_by": "uuid",
  "assigned_at": "2025-01-22T10:00:00Z"
}

Similar endpoints exist for inspection access:

GET /client_admin_inspection_access?admin_id=eq.UUID

GET /client_manager_inspection_access?manager_id=eq.UUID

POST /rpc/assign_buildings_to_client_admin
Content-Type: application/json

Request Body:

{
  "p_admin_id": "uuid",
  "p_building_ids": [1, 2, 3, 4, 5]
}

This function:

• Validates the admin exists and has proper role
• Assigns multiple buildings in one operation
• Records who assigned and when
• Returns success/failure status

POST /rpc/assign_inspections_to_client_admin
Content-Type: application/json

Request Body:

{
  "p_admin_id": "uuid",
  "p_inspection_ids": [10, 20, 30, 40, 50]
}

POST /rpc/assign_to_client_manager
Content-Type: application/json

Request Body:

{
  "p_manager_id": "uuid",
  "p_building_ids": [1, 2, 3],
  "p_inspection_ids": [10, 20, 30]
}

This function:

• Only callable by client admins or super admins
• Assigns both buildings and inspections
• Validates manager is in same client as admin
• Records assignment metadata

POST /rpc/check_building_access_v2
Content-Type: application/json

Request Body:

{
  "p_building_id": 123,
  "p_user_id": "uuid"
}

Response:

true

POST /rpc/check_inspection_access
Content-Type: application/json

Request Body:

{
  "p_inspection_id": 456,
  "p_user_id": "uuid"
}

Response:

true

• Full access to all resources
• Can assign/revoke access for any user
• Bypass all access control checks

• Automatic access to all buildings in their client
• Automatic access to all inspections in their client
• Can assign access to client managers in their organization
• Cannot access other clients' resources

• Only access explicitly assigned buildings
• Only access explicitly assigned inspections
• Cannot modify access assignments
• Read-only access to assigned resources

1. Client Admin creates the manager user
2. Client Admin calls assign_to_client_manager with building IDs
3. Manager can now access those buildings in the UI

1. Super Admin calls assign_buildings_to_client_admin
2. Pass array of all building IDs for that client
3. Admin instantly has access to all buildings

Before displaying a building:

const hasAccess = await supabase
  .rpc('check_building_access_v2', {
    p_building_id: 123,
    p_user_id: currentUser.id
  });

if (hasAccess) {
  // Show building details
}