4.7 KiB
4.7 KiB
ADDED Requirements
Requirement: Enforce Superuser permissions
The system SHALL grant Superusers full access to all functionality without restrictions.
Scenario: Superuser creates team member
- WHEN a Superuser creates a new team member
- THEN the system allows the action
Scenario: Superuser views all data
- WHEN a Superuser requests any data (projects, allocations, reports)
- THEN the system returns the requested data without access restrictions
Requirement: Enforce Manager permissions
The system SHALL allow Managers to create/edit their own projects and allocate resources from their own team.
Scenario: Manager creates project
- WHEN a Manager creates a new project
- THEN the system associates the project with the Manager
- AND the Manager can edit the project
Scenario: Manager views all projects (read-only for others)
- WHEN a Manager requests the list of all projects
- THEN the system returns all projects
- AND projects owned by other Managers are marked as read-only
Scenario: Manager allocates own team member
- WHEN a Manager allocates a team member from their own team to a project
- THEN the system allows the allocation
Scenario: Manager cannot allocate other team's members
- WHEN a Manager attempts to allocate a team member from another Manager's team
- THEN the system rejects the request with error "Cannot allocate team members from other teams"
Scenario: Manager approves estimates
- WHEN a Manager approves an estimate for their own project
- THEN the system updates the project status and sets the approved estimate
Requirement: Enforce Developer permissions
The system SHALL allow Developers to view their own allocations and log their own hours.
Scenario: Developer views own allocations
- WHEN a Developer requests their allocations
- THEN the system returns only projects where the Developer is allocated
Scenario: Developer logs own hours
- WHEN a Developer logs hours for a project they are allocated to
- THEN the system accepts the hours
Scenario: Developer cannot log hours for other team members
- WHEN a Developer attempts to log hours on behalf of another team member
- THEN the system rejects the request with error "Cannot log hours for other team members"
Scenario: Developer views assigned project details
- WHEN a Developer requests details for a project they are allocated to
- THEN the system returns project details (title, status, their allocation)
Scenario: Developer cannot view unassigned projects
- WHEN a Developer requests details for a project they are not allocated to
- THEN the system returns 403 Forbidden error
Scenario: Developer cannot allocate resources
- WHEN a Developer attempts to create or modify an allocation
- THEN the system rejects the request with error "Insufficient permissions"
Requirement: Enforce Top Brass permissions
The system SHALL allow Top Brass to view all reports but prevent any modifications.
Scenario: Top Brass views all reports
- WHEN Top Brass requests forecast, utilization, cost, allocation, or variance reports
- THEN the system returns the requested report with all data
Scenario: Top Brass cannot modify data
- WHEN Top Brass attempts to create, update, or delete any entity (project, allocation, team member)
- THEN the system rejects the request with error "Read-only access"
Scenario: Top Brass views cross-team data
- WHEN Top Brass views reports
- THEN the system includes data from all teams without restrictions
Requirement: Role-based API endpoints
The system SHALL protect API endpoints with role-based middleware.
Scenario: Unauthorized access attempt
- WHEN a user attempts to access an endpoint without the required role
- THEN the system returns 403 Forbidden error
- AND logs the unauthorized access attempt
Scenario: Token includes role information
- WHEN a user authenticates
- THEN the JWT token includes the user's role
- AND API middleware validates the role for each request
Requirement: Model-level authorization
The system SHALL enforce authorization at the model level using Laravel Policies.
Scenario: Policy check for project update
- WHEN a Manager attempts to update a project
- THEN the system checks the ProjectPolicy to verify ownership
- AND allows the update only if the Manager owns the project or is a Superuser
Scenario: Policy check for allocation creation
- WHEN a user attempts to create an allocation
- THEN the system checks the AllocationPolicy to verify the user has permission
- AND for Managers, verifies the team member belongs to their team