Skip to content

Refactor profile authorization logic into service layer #273

Description

@danielsjoo

Currently, profile authorization logic (checkProfileAuthorization) is in UserController as a private method. This should be extracted into a ProfileAuthorizationService for:

  1. Testability/Security: Authorization logic needs comprehensive unit tests covering:

    • Client accessing own profile
    • Client accessing another client's profile (should fail)
    • Worker accessing same-org client (should succeed)
    • Worker accessing different-org client (should fail)
    • Missing users, null sessions, etc.
  2. Reusability: Similar authorization patterns exist in:

    • PdfController (pdfDownload, pdfDelete)
    • FileController (file access)
    • Could be reused across profile-related endpoints
  3. Consistency: Other authorization logic (AuthenticateUserService, LoginService) follows service pattern

  4. Maintainability: Centralized authorization rules are easier to audit and modify

Current implementation works but makes testing difficult and violates separation of concerns.

Priority: Medium (not blocking, but improves code quality and testability)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions