Skip to content

Add “Care Team” sharing & permissions #23

New issue
New issue
Open
Open
Add “Care Team” sharing & permissions#23
#29 (+2)
Assignees
hoangsonww
Labels
documentationImprovements or additions to documentationenhancementNew feature or requestgood first issueGood for newcomershelp wantedExtra attention is needed
Milestone
v1.x.x - Stable Public Release
@hoangsonww

Description

@hoangsonww
hoangsonww
opened on Aug 6, 2025

Description:
Enable users to securely share their SymptomSync data (medication schedules, appointments, health logs) with trusted caregivers or family members (“Care Team”). Invitees should have configurable view-only or edit permissions and see real-time updates. This will help patients collaborate with doctors, nurses, or loved ones to better manage their health.

Acceptance Criteria:

  1. Invite Flow:
    • User can open a “Care Team” panel from Settings and send email invites to one or more caregivers.
    • Invites include a secure, time-limited signup link.
  2. Permissions Model:
    • Two permission levels: View-only (read data) and Editor (add/edit logs, reminders, appointments).
    • Owner can upgrade/downgrade or revoke access at any time.
  3. UI & Dashboard:
    • Care Team members see a filtered dashboard showing only the patient’s data they have access to.
    • Patient sees a list of current Care Team members with their permission level.
  4. Real-Time Sync:
    • Any changes by patient or Editor-level caregivers sync in real time across all devices (via Supabase Realtime).
  5. Security & Privacy:
    • All shared data respects existing RLS policies—caregivers cannot access unrelated users’ data.
    • Audit log in database (timestamp, actor, action) for all create/update/delete by Care Team.
  6. Notifications:
    • Email alert to caregivers when invited, permission changed, or revoked.
    • In-app notification for patient when a caregiver makes edits.

Tasks:

  • Define new care_team table in Supabase with columns id, patient_id, user_id, permission_level, status, created_at.
  • Create invitation API endpoints:
    • POST /api/care-team/invite
    • GET /api/care-team/pending
    • POST /api/care-team/accept/:token
    • PATCH /api/care-team/:id (update/revoke)
  • Build frontend Care Team management UI under Settings: invite form, member list with permission controls.
  • Generate secure JWT-based invite tokens (expires in 7 days).
  • Implement RLS policies for care_team and resource tables to enforce view/edit permissions.
  • Wire up Supabase Realtime subscriptions so both patient and editors see live updates.
  • Send transactional emails via existing Supabase Functions when invites sent/accepted/revoked.
  • Add audit-log triggers in Postgres for all care_team-related actions.
  • Write Jest & Playwright tests covering invite flow, permission enforcement, and real-time sync.
  • Update Swagger docs with new care-team endpoints and examples.

Estimated Effort: ~3–4 sprints

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationenhancementNew feature or requestgood first issueGood for newcomershelp wantedExtra attention is needed

Projects

SymptomSync App Project Board

Status

Backlog

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions