Merge pull request #23 from StreetSupport/feature/implement-removing-organisations

Implement removing organisations

Author: o-seliuchenko

docs/PERMISSIONS.md

@@ -34,11 +34,18 @@ Both Admin (NextAuth) and API (Express middleware) validate these claims for acc
 | Role | Description | Access Level |
 |------|-------------|--------------|
 | `SuperAdmin` | Full platform access | All pages, all API endpoints |
+| `SuperAdminPlus` | SuperAdmin with extended privileges | All SuperAdmin access + organisation deletion |
 | `CityAdmin` | Location-specific administrator | Pages/APIs for assigned locations |
 | `VolunteerAdmin` | Volunteer management | Organisation management, content creation |
 | `OrgAdmin` | Organisation-specific administrator | Own organisation only |
 | `SwepAdmin` | SWEP banner management | SWEP banners for assigned locations |
 
+### Special Notes on SuperAdminPlus
+
+- **Cannot be created through UI**: This role must be manually assigned in MongoDB and Auth0
+- **Organisation Deletion**: Only SuperAdminPlus can delete organisations and their related data
+- **Cannot be removed through UI**: The role removal is disabled in the Edit User modal
+
 ### Role Prefixes (Specific Claims)
 
 | Prefix | Format | Example |
@@ -50,6 +57,8 @@ Both Admin (NextAuth) and API (Express middleware) validate these claims for acc
 ### Role Hierarchy
 
 ```
+SuperAdminPlus (SuperAdmin + organisation deletion)
+    ↓
 SuperAdmin
     ↓ (Full access)
 VolunteerAdmin
@@ -64,16 +73,27 @@ OrgAdmin + AdminFor:*
 
 ### Page Access by Role
 
-| Page | SuperAdmin | CityAdmin | VolunteerAdmin | OrgAdmin | SwepAdmin |
-|------|------------|-----------|----------------|----------|-----------|
-| `/cities` | ✅ | ✅ | ✅ | ❌ | ❌ |
-| `/organisations` | ✅ | ✅ | ✅ | ✅ | ❌ |
-| `/users` | ✅ | ✅ | ❌ | ❌ | ❌ |
-| `/banners` | ✅ | ✅ | ✅ | ❌ | ❌ |
-| `/swep-banners` | ✅ | ✅ | ✅ | ❌ | ✅ |
-| `/advice` | ✅ | ✅ | ✅ | ❌ | ❌ |
-| `/location-logos` | ✅ | ✅ | ✅ | ❌ | ❌ |
-| `/resources` | ✅ | ❌ | ✅ | ❌ | ❌ |
+| Page | SuperAdmin | SuperAdminPlus | CityAdmin | VolunteerAdmin | OrgAdmin | SwepAdmin |
+|------|------------|----------------|-----------|----------------|----------|-----------|
+| `/cities` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
+| `/organisations` | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
+| `/users` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
+| `/banners` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
+| `/swep-banners` | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
+| `/advice` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
+| `/location-logos` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
+| `/resources` | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ |
+
+### Organisation Actions by Role
+
+| Action | SuperAdmin | SuperAdminPlus | CityAdmin | VolunteerAdmin | OrgAdmin |
+|--------|------------|----------------|-----------|----------------|----------|
+| View | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Create | ✅ | ✅ | ✅ | ✅ | ❌ |
+| Edit | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Publish/Disable | ✅ | ✅ | ✅ | ✅ | ❌ |
+| Verify | ✅ | ✅ | ✅ | ✅ | ❌ |
+| **Delete** | ❌ | ✅ | ❌ | ❌ | ❌ |
 
 ---
 
@@ -156,14 +176,15 @@ The API validates role assignments based on the creator's permissions:
 ```typescript
 // authMiddleware.ts - requireUserCreationAccess
 // SuperAdmin can assign any role
-if (userAuthClaims.includes(ROLES.SUPER_ADMIN)) {
+if (userAuthClaims.includes(ROLES.SUPER_ADMIN) || userAuthClaims.includes(ROLES.SUPER_ADMIN_PLUS)) {
   return next();
 }
 
 // CityAdmin cannot assign SuperAdmin or VolunteerAdmin
 if (userAuthClaims.includes(ROLES.CITY_ADMIN)) {
   if (newUserClaims.includes(ROLES.SUPER_ADMIN) || 
-      newUserClaims.includes(ROLES.VOLUNTEER_ADMIN)) {
+      newUserClaims.includes(ROLES.VOLUNTEER_ADMIN) ||
+      newUserClaims.includes(ROLES.VOLUNTEER_ADMIN_PLUS)) {
     return sendForbidden(res, 'CityAdmin cannot assign SuperAdmin or VolunteerAdmin roles');
   }
 }
@@ -292,7 +313,7 @@ Using the `useAuthorization` hook:
 // Example: Banners page
 export default function BannersPage() {
   const { isChecking, isAuthorized } = useAuthorization({
-    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
+    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.SUPER_ADMIN_PLUS, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
     requiredPage: '/banners',
     autoRedirect: true
   });
@@ -321,7 +342,7 @@ export function hasApiAccess(
   method: HttpMethod
 ): boolean {
   // SuperAdmin has access to everything
-  if (userAuthClaims.roles.includes(ROLES.SUPER_ADMIN)) {
+  if (userAuthClaims.roles.includes(ROLES.SUPER_ADMIN) || userAuthClaims.roles.includes(ROLES.SUPER_ADMIN_PLUS)) {
     return true;
   }
 
@@ -346,10 +367,26 @@ export function hasApiAccess(
 ```typescript
 // src/types/auth.ts
 export const ROLE_PERMISSIONS: Record<UserRole, RolePermissions> = {
-  [ROLES.SUPER_ADMIN]: {
+  [ROLES.SUPER_ADMIN_PLUS]: {
     pages: ['*'],
     apiEndpoints: [{ path: '*', methods: ['*'] }]
   },
+  [ROLES.SUPER_ADMIN]: {
+    pages: ['*'],
+    apiEndpoints: [
+      { path: '/api/cities', methods: ['*'] },
+      { path: '/api/organisations', methods: [HTTP_METHODS.GET, HTTP_METHODS.POST, HTTP_METHODS.PUT, HTTP_METHODS.PATCH] },
+      { path: '/api/services', methods: ['*'] },
+      { path: '/api/accommodations', methods: ['*'] },
+      { path: '/api/faqs', methods: ['*'] },
+      { path: '/api/banners', methods: ['*'] },
+      { path: '/api/location-logos', methods: ['*'] },
+      { path: '/api/swep-banners', methods: ['*'] },
+      { path: '/api/resources', methods: ['*'] },
+      { path: '/api/users', methods: ['*'] },
+      { path: '/api/service-categories', methods: ['*'] },
+    ]
+  },
   [ROLES.CITY_ADMIN]: {
     pages: ['/cities', '/organisations', '/advice', '/banners', '/location-logos', '/swep-banners', '/users'],
     apiEndpoints: [

src/app/advice/[id]/edit/page.tsx

@@ -33,14 +33,14 @@ export default function AdviceEditPage() {
 
   // Check authorization FIRST
   const { isChecking, isAuthorized } = useAuthorization({
-    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
+    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.SUPER_ADMIN_PLUS, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
     requiredPage: '/advice',
     autoRedirect: true
   });
 
   const { data: session } = useSession();
   const userRoles = session?.user?.authClaims?.roles || [];
-  const canAccessGeneralAdvice = userRoles.includes(ROLES.SUPER_ADMIN) || userRoles.includes(ROLES.VOLUNTEER_ADMIN);
+  const canAccessGeneralAdvice = userRoles.includes(ROLES.SUPER_ADMIN) || userRoles.includes(ROLES.SUPER_ADMIN_PLUS) || userRoles.includes(ROLES.VOLUNTEER_ADMIN);
 
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState<string | null>(null);

src/app/advice/[id]/page.tsx

@@ -24,7 +24,7 @@ export default function AdviceViewPage() {
 
   // Check authorization FIRST
   const { isChecking, isAuthorized } = useAuthorization({
-    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
+    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.SUPER_ADMIN_PLUS, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
     requiredPage: '/advice',
     autoRedirect: true
   });

src/app/advice/new/page.tsx

@@ -28,14 +28,14 @@ export default function NewAdvicePage() {
 
   // Check authorization FIRST
   const { isChecking, isAuthorized } = useAuthorization({
-    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN, ROLES.SWEP_ADMIN],
+    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.SUPER_ADMIN_PLUS, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN, ROLES.SWEP_ADMIN],
     requiredPage: '/advice',
     autoRedirect: true
   });
 
   const { data: session } = useSession();
   const userRoles = session?.user?.authClaims?.roles || [];
-  const canAccessGeneralAdvice = userRoles.includes(ROLES.SUPER_ADMIN) || userRoles.includes(ROLES.VOLUNTEER_ADMIN);
+  const canAccessGeneralAdvice = userRoles.includes(ROLES.SUPER_ADMIN) || userRoles.includes(ROLES.SUPER_ADMIN_PLUS) || userRoles.includes(ROLES.VOLUNTEER_ADMIN);
 
   const [saving, setSaving] = useState(false);
   const [validationErrors, setValidationErrors] = useState<ValidationError[]>([]);

src/app/advice/page.tsx

@@ -11,7 +11,7 @@ import AdviceManagement from '@/components/advice/AdviceManagement';
 export default function AdvicePage() {
   // Check authorization FIRST before any other logic
   const { isChecking, isAuthorized } = useAuthorization({
-    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
+    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.SUPER_ADMIN_PLUS, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
     requiredPage: '/advice',
     autoRedirect: true
   });

src/app/api/organisations/[id]/route.ts

@@ -3,6 +3,7 @@ import { NextRequest } from 'next/server';
 import { withAuth, AuthenticatedApiHandler } from '@/lib/withAuth';
 import { hasApiAccess } from '@/lib/userService';
 import { sendForbidden, sendInternalError, proxyResponse, sendError } from '@/utils/apiResponses';
+import { ROLES } from '@/constants/roles';
 
 const API_BASE_URL = process.env.API_BASE_URL;
 
@@ -96,6 +97,38 @@ const patchHandler: AuthenticatedApiHandler = async (req: NextRequest, context,
   }
 };
 
+const deleteHandler: AuthenticatedApiHandler = async (req: NextRequest, context, auth) => {
+  try {
+    // Only SuperAdminPlus can delete organisations
+    const userRoles = auth.session.user.authClaims.roles;
+    if (!userRoles.includes(ROLES.SUPER_ADMIN_PLUS)) {
+      return sendForbidden('Only SuperAdminPlus role can delete organisations');
+    }
+
+    const { id } = context.params;
+
+    const response = await fetch(`${API_BASE_URL}/api/organisations/${id}`, {
+      method: HTTP_METHODS.DELETE,
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${auth.accessToken}`,
+      },
+    });
+
+    const data = await response.json();
+
+    if (!response.ok) {
+      return sendError(response.status, data.error || 'Failed to delete organisation');
+    }
+
+    return proxyResponse(data);
+  } catch (error) {
+    console.error('Error deleting organisation:', error);
+    return sendInternalError();
+  }
+};
+
 export const GET = withAuth(getHandler);
 export const PUT = withAuth(putHandler);
 export const PATCH = withAuth(patchHandler);
+export const DELETE = withAuth(deleteHandler);

src/app/banners/[id]/edit/page.tsx

@@ -70,7 +70,7 @@ function transformBannerToFormData(banner: IBanner): IBannerFormData {
 export default function EditBannerPage() {
   // Check authorization FIRST
   const { isChecking, isAuthorized } = useAuthorization({
-    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
+    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.SUPER_ADMIN_PLUS, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
     requiredPage: '/banners',
     autoRedirect: true
   });

src/app/banners/[id]/page.tsx

@@ -20,7 +20,7 @@ import { LoadingSpinner } from '@/components/ui/LoadingSpinner';
 export default function BannerViewPage() {
   // Check authorization FIRST
   const { isChecking, isAuthorized } = useAuthorization({
-    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
+    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.SUPER_ADMIN_PLUS, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
     requiredPage: '/banners',
     autoRedirect: true
   });

src/app/banners/new/page.tsx

@@ -17,7 +17,7 @@ import { PageHeader } from '@/components/ui/PageHeader';
 export default function NewBannerPage() {
   // Check authorization FIRST before any other logic
   const { isChecking, isAuthorized } = useAuthorization({
-    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
+    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.SUPER_ADMIN_PLUS, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
     requiredPage: '/banners',
     autoRedirect: true
   });

src/app/banners/page.tsx

@@ -25,7 +25,7 @@ import { ResultsSummary } from '@/components/ui/ResultsSummary';
 export default function BannersListPage() {
   // Check authorization FIRST
   const { isChecking, isAuthorized } = useAuthorization({
-    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
+    allowedRoles: [ROLES.SUPER_ADMIN, ROLES.SUPER_ADMIN_PLUS, ROLES.CITY_ADMIN, ROLES.VOLUNTEER_ADMIN],
     requiredPage: '/banners',
     autoRedirect: true
   });