Phase 2: Students, Staff, Roles & Departments
Phase 2 adds people management -- students with PII encryption, staff accounts, role-based access, and departments.
Purpose
Register students with encrypted PII fields, create staff accounts with role assignments, and organise staff into departments. This phase also wires up the authentication system with real Staff model queries.
Key Models
| Model | Purpose |
|---|---|
Student | Student record with personal details, guardian info, photo, encrypted PII |
Staff | Staff member with auth credentials (email, passwordHash, authProvider) |
Role | Named permission level (ADMIN, PRINCIPAL, etc.) |
StaffRole | Append-only role assignment (never deleted; revoked via revokedAt) |
Department | Organisational grouping of subjects and staff |
StaffDepartment | Join table linking staff to departments |
Critical Rules
- PII encryption:
Student.passportNumberandStudent.guardianPhonemust be encrypted viaencryptFieldbefore Prisma writes and decrypted viadecryptFieldafter reads. See ADR-004. - StaffRole is append-only: Never delete a StaffRole row. Revoke by setting
revokedAt. Permission resolution always filtersrevokedAt IS NULL. - Student photo upload uses presigned PUT URLs (not server-side upload) to avoid streaming large files through Next.js.
API Endpoints
| Method | Path | Purpose |
|---|---|---|
| GET/POST | /api/admin/staff | List / create staff |
| GET/PATCH/DELETE | /api/admin/staff/[id] | Staff CRUD (soft delete: isActive = false) |
| POST/DELETE | /api/admin/staff/[id]/roles | Assign / revoke role |
| POST/DELETE | /api/admin/staff/[id]/departments | Assign / remove department |
| GET/POST | /api/admin/roles | List / create roles |
| GET/PATCH/DELETE | /api/admin/roles/[id] | Role CRUD |
| GET/POST | /api/admin/departments | List / create departments |
| PATCH/DELETE | /api/admin/departments/[id] | Department CRUD |
| GET/POST | /api/admin/students | List / create students |
| GET/PATCH/DELETE | /api/admin/students/[id] | Student CRUD (soft delete: status = WITHDRAWN) |
| POST/GET | /api/admin/students/[id]/photo | Photo presigned URL upload / download |
Key Files
src/lib/encryption.ts-- AES-256-GCM PII encryption/decryptionsrc/lib/auth.ts-- next-auth v4 auth options,SA3Sessionconstructionsrc/lib/permissions.ts--resolvePermissionsForResourcesrc/app/admin/staff/-- Staff management UIsrc/app/admin/students/-- Student management UI