Feat: Restrict Billing Information Modification to Authorized Users #995
Description
Description
Currently, only authenticated super_admin user can add and modify billing information. This is not best practice, as sensitive financial data should only be managed by authorized personnel in accordance to the principle of least privileges (POLP). This issue proposes restricting the ability to add and modify billing information to users who meet specific role-based access control (RBAC) requirements.
Related Issue
Additional Allowed Roles:
- Organization Owners
- Users with the "Billing" Role
API Endpoints to Restrict:
- Add Billing Plans
[POST] /api/v1/organisations/billing-plans - Modify Billing Plans
[PATCH] /api/v1/organisations/billing-plans/{billing_plan_id} - Delete Billing Plans
[DELETE] /api/v1/organisations/billing-plans/{billing_plan_id}
Behavioral Requirements
✅ When an authorized user (Super Admin, Organization Owner, or Billing role) attempts to add or modify billing information:
- The system should process the request and return a
200 OKresponse.
✅ When an unauthorized user attempts to add or modify billing information:
- The system should return a
403 Forbiddenresponse with an appropriate error message.
1. Add Billing Information
[POST] /api/v1/organisations/billing-plans
✅ Request Body:
{
"name": "Premium Plan",
"description": "A subscription plan with advanced features",
"price": 100,
"duration": "monthly",
"currency": "USD",
"organisation_id": "org_12345",
"features": [
"Unlimited Storage",
"Priority Support",
"Custom Branding"
]
}
✅ Successful Response (Authorized User):
{
"status": "success",
"status_code": 200,
"message": "Plans created successfully",
"data": {
"plan_name": "Premium Plan",
"amount": 100
}
}✅ Error Response (Unauthorized User):
{
"message": "You do not have permission to add billing plans",
"statusCode": 403
}2. Modify Billing Plans
*[PATCH] /api/v1/organisations/billing-plans/{billing_plan_id}
✅ Request Body:
{
"name": "Premium Plan",
"description": "A subscription plan with advanced features",
"price": 1200,
"duration": "monthly",
"currency": "USD",
"organisation_id": "string",
"features": [
"string"
]
}✅ Successful Response (Authorized User):
{
"status": "success",
"status_code": 200,
"message": "Plan updated successfully",
"data": {
"plan_name": "Premium Plan",
"amount": 100
}
}✅ Error Response (Unauthorized User):
{
"message": "You do not have permission to modify billing information",
"statusCode": 403
}3. Delete Billing Plans
*[DELETE] /api/v1/organisations/billing-plans/{billing_plan_id}
✅ Request Body:
{
"billing_plan_id": "string",
}✅ Successful Response (Authorized User):
{
"status_code": 200,
"message": "Plan Deleted successfully",
"data": {
"billing_plan_id": "string",
}
}✅ Error Response (Unauthorized User):
{
"message": "You do not have permission to delete billing information",
"statusCode": 403
}Requirements for the Billing Access Restriction
✅ Refactor role-based access control (RBAC) to restrict modifications to the allowed roles.
✅ Ensure detailed error handling for unauthorized access attempts.
✅ Ensure logging for audit trails of billing modifications.
Testing
Unit Tests:
-
Successful billing addition/modification by Super Admin, Organization Owner, or Billing role.
-
Unauthorized billing modification attempt by a regular authenticated user.
Integration Tests:
- Validate API responses for different user roles.
- Ensure RBAC is enforced in both endpoints.