Implement Permission Checker Service Core Logic
epic-role-based-access-control-state-and-services-task-005 — Build the PermissionCheckerService with synchronous canAccess(route, role) and asynchronous checkPermission(action, context) methods. Define a permission matrix mapping each UserRole to allowed routes, actions (registerActivity, viewContacts, bulkRegister, exportBufdir, attestExpense), and data operations. The service reads the active role from RoleStateManager and evaluates permissions without additional network calls for the synchronous path.
Acceptance Criteria
Technical Requirements
Execution Context
Tier 3 - 413 tasks
Can start after Tier 2 completes
Implementation Notes
Model the matrix as: const Map
The async checkPermission reads activeRole from RoleStateManager using ref.read (not watch) since it is called imperatively. Document each matrix entry with a comment linking to the workshop requirements (e.g., bulkRegister: coordinator and above per NHF/HLF workshop requirement ยง2.4).
Testing Requirements
Unit tests with flutter_test: enumerate all UserRole ร route/action combinations and assert expected bool from canAccess. Test deny-by-default for unknown route strings. Test checkPermission async path with mocked RoleStateManager stream. Verify globalAdmin override returns false even if matrix entry exists.
Test that the permission matrix const is exhaustive โ a test that lists all PermissionAction values and asserts each has an entry for each UserRole. Target 100% coverage of the permission matrix evaluation path.
A coordinator's permissions could be revoked by an admin while they are actively using the app. If the permission checker relies solely on the cached role state from login, the coordinator could continue performing actions they are no longer authorized for until the next login.
Mitigation & Contingency
Mitigation: The Permission Checker Service must re-validate against the Role Repository (not just in-memory state) before high-impact actions. Implement a configurable staleness window (e.g., 15 minutes) after which role data is refreshed from Supabase in the background.
Contingency: If a revoked permission is detected during a pre-action check, immediately clear the cached role state, force a re-resolution from Supabase, and display an inline error explaining the permission change rather than crashing or silently failing.
Using both BLoC and Riverpod in the same state management layer for roles risks state synchronization bugs where one system updates before the other, causing widgets to render with stale role data during the switch transition.
Mitigation & Contingency
Mitigation: Choose a single primary state management approach (Riverpod StateNotifier is recommended) for role state and wrap the BLoC pattern within it if legacy code requires BLoC interfaces. Establish a single source-of-truth provider that all consumers read from.
Contingency: If synchronization bugs appear during integration testing, introduce a RoleStateReady gate widget that delays rendering of role-dependent UI until the state notifier emits a confirmed resolved state, preventing partial renders.
Hardcoded permission constants per role can become a maintenance burden as new features are added across 61 total features, leading to permission definitions that are scattered, stale, or inconsistent.
Mitigation & Contingency
Mitigation: Centralize all role-permission mappings in a single RolePermissions constants file with named action keys. Enforce that no widget or service directly checks role type strings; all checks must go through the Permission Checker Service.
Contingency: If permission definitions drift out of sync, introduce a validation test suite that cross-references all registered permission constants against their usage sites and fails the CI build if an undefined permission key is referenced.