Dosu Logo
Home
Documents
Security, Auth & Permissions (RBAC + Tenant Scoping)
Security, Auth & Permissions (RBAC + Tenant Scoping)
Type
Document
Status
Published
Created
Dec 25, 2025
Updated
Dec 25, 2025
Updated by
Dosu Bot

Auth Overview per Portal#

Admin Portal#

Authentication is stateless and token-based. The backend disables session and cookie validation (enableSession: false, enableCookieValidation: false) and uses the common\models\Admin identity class. Login is handled via HTTP Basic Auth, Google, Auth0, and two-step OTP. Tokens are issued as bearer tokens via the AdminToken model and returned in the _loginResponse method. Auth0 login uses the auth0 component to validate tokens and retrieve user info, then matches by email. See admin/config/main.php and admin/modules/v1/controllers/AuthController.php.

Staff Portal#

Authentication is stateless and token-based. The backend disables session and cookie validation (enableSession: false, enableCookieValidation: false) and uses the common\models\Staff identity class. Multiple login methods are supported: HTTP Basic Auth, Google, Auth0, and key-based login. See staff/config/main.php.

Candidate Portal#

Authentication uses HTTP Basic Auth for initial login, exchanging credentials for a bearer token. Multiple login methods are supported: standard, two-step, key, Google, Apple, and Auth0. Tokens are managed via the CandidateToken model and returned in _loginResponse. The frontend stores the token in local storage under loggedInUser and manages it in AuthService. Logout clears the token and user details from storage and memory. See candidate/modules/v1/controllers/AuthController.php and studenthub-candidate/src/app/providers/auth.service.ts.

Company Portal#

Unknown / Verify. No direct code references found for company portal authentication flow. Please verify the existence and implementation of an AuthService/AuthProvider and token handling.

Backend Enforcement Points#

Authentication enforcement is handled via Yii2 behaviors in each portal's AuthController. CORS filters are applied to allow requests from permitted origins. HTTP Basic Auth is used for initial login, with exceptions for public endpoints such as OPTIONS, signup, password reset, email verification, and social logins. See candidate/modules/v1/controllers/AuthController.php and admin/modules/v1/controllers/AuthController.php.

RESTful API routes are defined in each portal's config/main.php using yii\rest\UrlRule, specifying which endpoints require authentication and which are public. See admin/config/main.php and staff/config/main.php.

Roles/RBAC Matrix#

Roles and permissions are structured using the PermissionSection and PermissionSubSection models. Each section has a UUID and a name, and is related to subsections, forming a hierarchical permission structure. Behaviors are used for automatic UUID generation and timestamping. See common/models/PermissionSection.php.

Role names and permission checks for major actions (e.g., approve transfer, edit candidate, view bank info) are not explicitly documented in the available code. Unknown / Verify: Please review controllers and services for explicit permission checks and role definitions.

Tenant Scoping Rules#

Unknown / Verify. No direct code references found for tenant scoping or company isolation logic (e.g., filtering by company_id in queries or access checks). Please review backend controllers and models for concrete examples of tenant scoping enforcement.

Sensitive Data Handling#

Civil ID, bank details, and uploads are referenced in the codebase, but explicit access controls and audit logging are not documented in the available sources. The candidate portal includes logic for retrieving names by Civil ID and updating email addresses, with some rate limiting and verification steps. See studenthub-candidate/src/app/providers/auth.service.ts.

Audit logging is configured via a Slack logger for various categories (admin, candidate, company, manager, staff, common, console) in common/config/main.php.

Unknown / Verify: Please review models and controllers for explicit access control and audit trail logic for sensitive data.

Security Configs & Env Vars#

CORS is enforced via corsFilter in controller behaviors, allowing requests from origins specified in Yii::$app->params['allowedOrigins']. See candidate/modules/v1/controllers/AuthController.php.

Cookie validation is disabled in all portals (enableCookieValidation: false). CSRF protection is not explicitly referenced; Unknown / Verify.

ReCaptcha enforcement is present but commented out in login and related actions, indicating it may be disabled or optional. See candidate/modules/v1/controllers/AuthController.php and admin/modules/v1/controllers/AuthController.php.

Rate limiting, throttling, and webhook secrets are not documented in the available sources. Unknown / Verify.

Auth/security-related environment variables include:

Other secrets and env vars are not documented. Unknown / Verify.

Common Failure Modes#

Debugging locations: Check AuthController methods for login, token validation, and error handling. Review frontend AuthService for logout and error handling logic.

Unknown / Verify#

  • Company portal authentication flow and token handling.
  • Explicit role definitions, permission checks, and RBAC matrix for major actions.
  • Tenant scoping and company isolation logic (at least three concrete code examples).
  • Sensitive data access controls and audit trail implementation.
  • CSRF, rate limiting, throttling, and webhook secret configuration.
  • Additional secrets and environment variables.
  • Role denied failure mode and debugging locations.

Please review the relevant controllers, models, and configuration files for these areas to complete the documentation.