40227-vm/backend/docs/staff-awards-reviews.md

3.8 KiB

Staff Awards Reviews Backend

Purpose

staff_awards_reviews stores Awards Earned & Reviews page records for campus staff. It is a dedicated table instead of user_progress because the workflow is not self-only: staff can maintain their own records, and users with MANAGE_AWARDS_REVIEWS can list scoped staff and create, update, or delete records for those staff users.

Slice Files

  • Route: src/routes/staff_awards_reviews.ts (GET /staff, GET /, POST /, PUT /:id, DELETE /:id).
  • Controller: src/api/controllers/staff_awards_reviews.controller.ts.
  • Service: src/services/staff_awards_reviews.ts.
  • Model: src/db/models/staff_awards_reviews.ts.
  • Migration: src/db/migrations/20260626110000-staff-support-content.ts.
  • Seeder: src/db/seeders/20260613060000-staff-awards-reviews.ts.

API

Mounted at /api/staff_awards_reviews behind JWT authentication and active-scope resolution.

  • GET /staff lists staff visible in the current scope. Requires READ_AWARDS_REVIEWS and MANAGE_AWARDS_REVIEWS.
  • GET /?staffUserId=<id> lists records for the selected staff user when the caller can manage, otherwise it lists the current user's records.
  • POST / creates a record. Staff users create for themselves; managers may pass staffUserId.
  • PUT /:id updates a record in scope.
  • DELETE /:id soft-deletes a record in scope.

Access Rules

  • Page read requires READ_AWARDS_REVIEWS.
  • Staff list and cross-staff mutation require MANAGE_AWARDS_REVIEWS.
  • Scope is derived from the current effective role scope, including drill-down active scope:
    • organization scope sees organization staff;
    • school scope sees school and descendant campus/class staff;
    • campus and class scopes see the resolved campus staff;
    • non-managers are restricted to their own staffUserId.
  • Staff classification for the staff picker is based on first-class role names (director, office_manager, teacher, support_staff) as data classification, not as a feature-access fallback.

Seeded role permissions:

  • Read: system_admin, owner, superintendent, principal, director, office_manager, teacher, and support_staff.
  • Manage: system_admin, owner, superintendent, principal, director, and office_manager.
  • registrar is intentionally excluded from this staff-support surface even though it has other school-level audit reads.

Data Contract

Columns:

  • title, record_type (award or review), year_label, notes;
  • optional attachment metadata: file_name, file_url, file_is_image;
  • tenant/scope columns: organizationId, schoolId, campusId, staffUserId;
  • audit columns: createdById, updatedById, timestamps, deletedAt.

Attachments are uploaded through POST /api/file/upload/staff-awards-reviews/attachments; the awards/reviews row stores the returned private URL.

Seeded Defaults

The demo and rival seed tenants each receive Awards Earned & Reviews rows for their seeded teacher and support staff users. Each seeded staff user receives:

  • Teacher of the Year (award, 2025-2026);
  • Annual Director Review (review, 2025-2026);
  • Perfect Attendance Award (award, 2024-2025).

The seeder uses stable UUIDs and skips rows that already exist, so reseeding is idempotent and does not overwrite user-created records.

Tests

  • src/services/staff_awards_reviews.test.ts covers self-service reads, management-only staff lists, school/campus scope filtering, and manager-created record tenant/campus ownership.
  • src/db/seeders/user-roles.test.ts covers the seeded read/manage permission matrix, including registrar exclusion.
  • Frontend API route construction is covered by frontend/src/shared/api/staffAwardsReviews.test.ts.
  • Content pages backed by content_catalog: autism-support-steps, para-certifications.
  • Frontend: frontend/docs/staff-support-pages.md.