Permissions & Security
Authentication
MaxTracks Web uses a password-based authentication system. User credentials are stored in the User Firestore collection (not Firebase Auth).
| Field | Description |
|---|---|
| userID | Unique identifier |
| name | Display name |
| password | User password |
| permissions | Map of permission flags |
Permission System
Access control is managed through the webPermissions Firestore collection. Each document represents a protected action with a list of allowed users.
Document Structure
{
"action": "view_approve_or_send_invoices",
"allowedUsers": ["user1", "user2", "user3"]
}
Known Permission Actions
| Action | Protects | Screen |
|---|---|---|
view_approve_or_send_invoices |
Invoice approval and sending | Invoice screen |
edit_permissions |
Managing user permissions | Permissions screen |
view_qr |
Viewing QR codes for packages | QR code feature |
How Permissions Are Checked
- User navigates to a protected screen
- App queries
webPermissionscollection for the relevant action - Checks if current user’s ID is in the
allowedUsersarray - If not authorized, access is denied with an error message
Managing Permissions
The Permissions screen (Permissions.dart) allows authorized users to:
- View all permission actions
- See which users have access to each action
- Add users to permission groups
- Remove users from permission groups
Only users with the edit_permissions action can access this screen.
Activity Logging
All significant actions are logged to the webLogs Firestore collection:
| Field | Type | Description |
|---|---|---|
| action | string | Action type performed |
| message | string | Human-readable description |
| timestamp | timestamp | When the action occurred |
The Logs screen (Logs.dart) displays these entries chronologically for auditing purposes.