Skip to content

MOP 1.3 — Cross-Phase Data Privacy & Isolation

Audience: super_admin, security & compliance Outcome: Phase admins of a multi-phase society see ONLY their own phase's residents, events, vendors and event-forms. Super admin still has a federation-level view.

1. The two scopes

Admin record has… What they see
society_id = null (super_admin / admin) Everything
society_id = X, child_society_id = null All data of society X (parent-wide admin)
society_id = X, child_society_id = Y Only data tagged society_id=X AND child_society_id=Y

The rule is implemented by the helper get_phase_filter(admin_doc) in /app/backend/server.py (~line 22371) and applied in every list endpoint that surfaces society-scoped collections.

2. Endpoints that honour phase isolation

  • GET /api/admin/users — residents, vendors interested in this society
  • GET /api/admin/events — phase-tagged events only
  • GET /api/admin/event-forms — Step-5 Approval queue scoped per phase
  • GET /api/admin/events/{id}/committee/available-members — strictly same-society and same-phase committees only (see MOP 2.3)

Add new endpoints to the list by calling get_phase_filter(admin) and merging the returned dict into your Mongo find() filter.

3. Tagging documents with a phase

When a society admin creates an event, resident or coaching slot, the backend automatically writes society_id = admin.society_id and, when the admin is phase-bound, child_society_id = admin.child_society_id. Existing super-admin-created data may not have child_society_id — run the production migration script (scripts/prod_migration_2026_02.py) to backfill null for missing keys (idempotent, safe to re-run).

4. Snapshot — Manage Subscription gated for society admins

Society admin user actions

The Manage Subscription button is hidden for society_admin / child_admin because subscription billing is a global concern.

5. Data model

admins.child_society_id : Optional[str]  # FK → society_children.id
users.child_society_id  : Optional[str]
events.child_society_id : Optional[str]
event_forms.child_society_id : Optional[str]  (inherited from event)

6. Edge cases & FAQ

  • A phase admin needs to see another phase temporarily → super admin edits the mapping (set child_society_id = null for parent-wide access).
  • Mobile app users are NOT phase-scoped — phase isolation is a back-office concept only. Residents see content from their own society, not their phase.
  • Audit — every society_admin_mapping change is logged in admin_logs.
  • MOP 1.2 — Admin Provisioning
  • MOP 2.3 — Committee Formation (phase-scoped)
  • MOP 3.1 — Event Lifecycle