Skip to content

Can front-desk/keyholder staff see participant allergies where food is served? #714

Description

@thpr

Question (product/access decision — not a bug)

Participant allergies is @sensitivity:personal. Tracing where that lands:

  • Program leaders DO see it. GET /api/programs/[id] includes all Participant scalars, and the security policy grants programLeadMentortheir_program_participants:personal, so a lead running a session sees allergies for every enrolled kid. Correct for the feed-a-kid safety case.
  • Keyholders / front-desk staff do NOT see it. The only participant-bearing routes a keyholder matches (GET /api/directory/board) grant ['member','public'] — no personal band. allergies is personal, so front-desk staff never receive it.

This is fine if food/snacks are only ever served inside supervised programs (leads have allergies there). It's a safety gap if food is served in any context staffed by a keyholder/front-desk role rather than a program lead (open shop hours, drop-in, front-desk snacks).

Ask

Whoever owns front-desk / facility ops: is there any food-serving context where the responsible adult is a keyholder (not a program lead)?

  • No → close; current tiering is correct.
  • Yes → we need to grant the relevant role visibility of allergies (likely a personal-band grant on a keyholder-facing participant/roster route). This is an access-policy change, not a schema-tier change.

Refs

  • checkin-app/prisma/schema.prismaParticipant.allergies @sensitivity:personal
  • checkin-app/src/app/api/programs/[id]/route.ts — includes participant scalars; lead gets their_program_participants:personal
  • checkin-app/src/security/registry.tsGET /api/directory/board keyholder view is ['member','public'] only

Surfaced during a schema-sensitivity audit. Originally flagged as "health data under-tiered vs DoB"; that framing was wrong (the app's tiers are role-oriented access bands, not a severity ladder). The real residual is this possible under-exposure to food-serving staff.

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions