====== Permissions Reference ======

===== Permission Model Summary =====

LEAST uses a three-layer model: Authentication → Association Membership → Feature Permission.

See [[admin:permissions|Roles & Permissions]] for the administrator guide.

===== Complete Permission Code → Column Map =====

==== Education / Class Permissions ====

^ Code(s) ^ Column ^ Description ^
| ''eduClassList'', ''eduLessonProgress'' | X_1001 | View class list and lesson progress |
| ''eduClassSettings'' | X_1002 | Edit class settings |
| ''eduRollCallCreate'', ''eduRollCallUpdate'', ''eduRollCallReport'' | X_1003 | Roll call — create, update, report |
| ''eduCourseCreate'', ''eduDayPlanner*'' | X_1004 | Course create and day planner |
| ''eduCourseSettings'', ''eduCourseManage'', ''eduCourseDiary'' | X_1005 | Course settings and management |
| ''eduCourseProgress'' | X_1006 | Course progress reporting |
| ''eduNoticeboardSettings'' | X_1007 | Noticeboard settings |
| ''eduNoticeboardReports'' | X_1008 | Noticeboard reports |
| ''eduNoticeboardCreate'' | X_1009 | Post noticeboard notices |
| ''eduClassPermissions'' | X_1010 | Manage class permissions |

==== Organisation Permissions ====

^ Code(s) ^ Column ^ Description ^
| ''orgUpdate'' | X_2001 | Update organisation details |
| ''orgMembers'' | X_2002 | Manage members |
| ''orgPermissions'' | X_2003 | Set member permissions |
| ''orgPublish'' | X_2004 | Publish notifications |
| ''orgDisplayScreenSetting'' | X_2005 | Display screen settings |
| ''orgDisplayScreenItem*'' | X_2006 | Display screen items |

==== Membership-Only (no specific bit required) ====

Active membership is sufficient — no permission bit needed:

''colAdmin_Create'', ''orgWorkflow'', ''entWorkflow'', ''toolTill'', ''toolStockTake'', ''entDailyTotals'', ''commsOrganisation'', ''orgDisplayScreenSelect'', ''eduMindfulWriting''

===== Database Tables =====

^ Table ^ Purpose ^
| ''Association'' | Organisations, classes, families |
| ''AssociationMember'' | User memberships (status 1/2/0) |
| ''AssociationSecurity'' | Permission bits per user per association |

===== Creator Protections =====

The association creator always retains ''X_1010'' (Class Permissions), ''X_2002'' (Manage Members), and ''X_2003'' (Set Permissions). These cannot be revoked — it prevents the owner locking themselves out.