...
Controllers usually check for roles and consent;
AuthUtils methods are called in the services to check the relationship of the caller to entities like studies and organizations.
This is getting messy. The issues I feel I’m encountering
Security is defined in different places, there’s not one place to see what is and is not permissible;
Utility methods are difficult to compose into new requirements and despite my best attempts, the names of these things rename confusing at times;
Consequently it’s hard to say we don’t have lapses in the authorization checks that are occurring.
I think we could use a more robust alternative to implement this. But first, here are the authorization checks we have implemented or want to implement in the MTB timeframe (described in terms of access to objects in the REST API, rather than through the several endpoints that are needed to expose each object in the API itself, and skipping participant-facing APIs). Then as well look at alternatives for implementation, I’ll show what modeling enrollment would look like.
...