Skip to main content

Overview

Trazea implements a secure user management system with an approval workflow to ensure only authorized personnel can access the platform. Every new user must be approved by an administrator before gaining full access to the system.

User Registration Flow

The registration process follows these steps:
1

User Signs Up

New users register through Supabase authentication, creating an account with their email and password.
2

User Record Created

Upon successful authentication, a user record is created in the usuarios table with:
  • id_usuario: Linked to Supabase auth user ID
  • email: User’s email address
  • nombre: User’s full name
  • activo: Set to true by default
  • aprobado: Set to false initially (requires admin approval)
  • id_rol: Assigned role ID
3

Admin Approval Required

The user cannot access the system until an administrator sets aprobado = true.
4

Session Data Loaded

Once approved, the system loads full session data including role and permissions.

User Approval Workflow

Critical Security Feature: The aprobado field acts as a security gate. Users with aprobado = false are blocked from accessing the system even if they have valid credentials.

Implementation Details

The approval system is implemented in the user store:
src/entities/user/model/useUserStore.ts:163-166
isUserApproved: () => {
  const state = get();
  return state.sessionData?.user.aprobado === true;
},

Session Data Structure

When a user logs in, their session data is fetched from the database:
src/shared/api/fetchUserSessionData.ts:31-41
return {
  user: {
    id: supabaseUser.id,
    email: supabaseUser.email!,
    nombre: user.nombre,
    activo: user.activo,
    aprobado: user.aprobado,
    role: rol!
  },
  locations: locations
};

Checking User Status

The system provides helper methods to check user status: 
const { isUserApproved, isUserActive } = useUserStore();

if (!isUserApproved()) {
  // Redirect to pending approval page
  navigate('/pending-approval');
}

if (!isUserActive()) {
  // User account is deactivated
  navigate('/account-inactive');
}

Role Assignment

Each user is assigned a role that determines their permissions throughout the system.

Available Roles

src/entities/user/model/types.ts:6-10
export enum ROLES {
  ADMIN = 'admin',
  TECNICO = 'tecnico',
  SUPERVISOR = 'superuser',
}

Admin

Full system access including user management, location setup, and system configuration.

Técnico

Technical staff with access to inventory, spare parts, and service operations.

Supervisor

Enhanced permissions for oversight and approval workflows.

Role Structure

Roles are stored in the roles table with this structure:
src/entities/user/model/useUserStore.ts:62-67
interface Role {
  id_rol: string;
  nombre: string;
  descripcion: string;
  permissions: AppPermissions;
}

Assigning Roles

Only administrators with the users_and_access.edit_user_roles permission can assign or modify user roles.
To assign a role to a user:
  1. Update the id_rol field in the usuarios table
  2. The permissions JSON from the role will be automatically loaded on next login
  3. User must log out and log back in for role changes to take effect

User Data Structure

src/entities/user/model/useUserStore.ts:69-77
interface UserData {
  id: string;
  email: string;
  nombre?: string;
  activo: boolean;
  aprobado: boolean;
  role: Role;
  locations?: UserLocation[];
}

Database Tables

usuarios Table

Stores core user information:
FieldTypeDescription
id_usuariouuidPrimary key, linked to Supabase auth
emailtextUser’s email address
nombretextUser’s full name
activobooleanWhether user account is active
aprobadobooleanAdmin approval status
id_roluuidForeign key to roles table

roles Table

Stores role definitions and permissions:
FieldTypeDescription
id_roluuidPrimary key
nombretextRole name (admin, tecnico, superuser)
descripciontextRole description
permissionsjsonbPermissions object (see Permissions & Roles)

Best Practices

  • Always verify both aprobado and activo status before granting access
  • Use the built-in helper methods isUserApproved() and isUserActive()
  • Never bypass the approval workflow for production environments
  • Implement additional checks at the route level for sensitive pages
  • Create a pending approval page to inform users their account is under review
  • Send email notifications to admins when new users register
  • Provide clear feedback to users about their approval status
  • Set up proper role defaults for new users
  • Document your permission structure clearly
  • Test role changes in a development environment first
  • Keep a backup of role configurations
  • Use descriptive role names and descriptions

Permissions & Roles

Learn about the role-based access control system and permission configuration

Multi-Location Setup

Configure user access across multiple workshop locations

Build docs developers (and LLMs) love

Get started for freeTalk to us