Campaign Permissions must answer the following questions:
- Does the user's role allow them the operation they want to do in general
- The the user's role allow them the operation they want to do for this campaign
- Is the data they're sending of the campaign they have access for?
3.1) DELETE -> Get the entry for the ID and check if their campaign_id matches the id of the campaign
Strategy A:
Make it so every API URL must have a campaignName parameter, if access to a given object depends on the campaign.
In the campaignAccess-middleware, you then get the campaign name parameter, you extract the role that the user has for that campaign from the JWT.
You then compare that role with what the user is trying to do. If they're sending a DELETE/PUT/PATCH/POST request and their role for this campaign is guest or lower, deny access. If they try to read and have no role, deny access.
However, this runs the risk of the user creating or patching something in a way that would make it belong to a different campaign.
StrategyB:
You could implement something like the signal system again, but for permissions.
Then connect every model to a permission within their model file.
Change the JWT so it maps campaign-id's to roles instead of campaign names to roles.
Then in the repository you check the permission before you perform the operation, essentially checking if, for the entry's campaign_id the user has a role that has the permission. You'd have to smuggle the JWT data of the request somehow into that thing... however the fuck you want to do that one.