Here is the requirements. I will have three levels of access to a dashboard that is restricted from the public (System Admin, Manager, Employee).
System admin, to simply put is essentially super admin. They have the ability to index,show,create,update,delete all companies and users.
Managers are created by system admin and assigned to a company, they have the ability to index,show,create,update,delete employees only for the company they belong to.
Employees have a read only access to their companies information and files.
Here is my current routes for the users. (using Slim Framework)
System Admin only access protected by middleware: These actions are for the system admin to manage all users.
/*** USERS ***/
// View to List Users
$this->get('/users', 'App\Controller\User\UserController:index')->setName('user.index');
// View containing user registration form
$this->get('/users/new', 'App\Controller\User\UserController:create')->setName('user.create');
// Creates new user from registration form
$this->post('/users' , 'App\Controller\User\UserController:store');
// Show single user view
$this->get('/users/{id}', 'App\Controller\User\UserController:show')->setName('user.show');
// View containing edit user form
$this->get('/users/{id}/edit', 'App\Controller\User\UserController:edit')->setName('user.edit');
// Updates new user from edit user form
$this->put('/users/{id}', 'App\Controller\User\UserController:update');
// Deletes new user from edit user form
$this->delete('/users/{id}', 'App\Controller\User\UserController:delete');
System Admin & Manager only access protected by middleware: These interactions are for the manager to manage employees
/*** COMPANIES Employees ***/
// View to List Companies employees
$this->get('/companies/{id}/users', 'App\Controller\Company\CompanyUsersController:index')->setName('company.user.index');
// View containing new employee registration form
$this->get('/companies/{id}/users/new', 'App\Controller\Company\CompanyUsersController:create')->setName('company.user.create');
// Creates new employee from registration form
$this->post('/companies/{id}/users' , 'App\Controller\Company\CompanyUsersController:store');
// Show single user
$this->get('/companies/{id}/users/{id}', 'App\Controller\Company\CompanyUsersController:show')->setName('company.user.show');
// View containing edit company employee form
$this->get('/companies/{id}/users/{id}/edit', 'App\Controller\Company\CompanyUsersController:edit')->setName('company.user.edit');
// Updates user from edit user form
$this->put('/companies/{id}/users/{id}', 'App\Controller\Company\CompanyUsersController:update');
// Deletes new user from edit user form
$this->delete('/companies/{id}/users/{id}', 'App\Controller\Company\CompanyUsersController:delete');
You will notice that for system admin, company id is not required. However, for store manager it is. So these interactions will have separate queries. My question is more about best practice. This solution seems a little redundent to me but it effectively separates concerns as well as simplifies the methods on each controller as well as the middlewares needed for access control. Am I going about this completely wrong?