ELEVATE-Project · nevil-mathew · Oct 27, 2025 · Oct 3, 2025 · Oct 3, 2025 · Oct 4, 2025
diff --git a/src/configs/postgres.js b/src/configs/postgres.js
@@ -26,6 +26,19 @@ module.exports = {
 			updatedAt: 'updated_at',
 			deletedAt: 'deleted_at',
 		},
+		pool: {
+			max: parseInt(process.env.DB_POOL_MAX),
+			min: parseInt(process.env.DB_POOL_MIN),
+			acquire: parseInt(process.env.DB_POOL_ACQUIRE_MS),
+			idle: parseInt(process.env.DB_POOL_IDLE_MS),
+			evict: parseInt(process.env.DB_POOL_EVICT_MS),
+		},
+		dialectOptions: {
+			application_name: process.env.APP_NAME,
+			keepAlive: true,
+			statement_timeout: parseInt(process.env.PG_STATEMENT_TIMEOUT_MS),
+			idle_in_transaction_session_timeout: parseInt(process.env.PG_IDLE_TX_TIMEOUT_MS),
+		},
 		//logging: false,
 		defaultOrgId: parseInt(process.env.DEFAULT_ORG_ID),
 	},
@@ -37,6 +50,19 @@ module.exports = {
 	production: {
 		url: process.env.DATABASE_URL,
 		dialect: 'postgres',
+		pool: {
+			max: parseInt(process.env.DB_POOL_MAX),
+			min: parseInt(process.env.DB_POOL_MIN),
+			acquire: parseInt(process.env.DB_POOL_ACQUIRE_MS),
+			idle: parseInt(process.env.DB_POOL_IDLE_MS),
+			evict: parseInt(process.env.DB_POOL_EVICT_MS),
+		},
+		dialectOptions: {
+			application_name: process.env.APP_NAME,
+			keepAlive: true,
+			statement_timeout: parseInt(process.env.PG_STATEMENT_TIMEOUT_MS),
+			idle_in_transaction_session_timeout: parseInt(process.env.PG_IDLE_TX_TIMEOUT_MS),
+		},
 		defaultOrgId: parseInt(process.env.DEFAULT_ORG_ID),
 	},
 }
diff --git a/src/constants/common.js b/src/constants/common.js
@@ -41,7 +41,9 @@ module.exports = {
 	refreshTokenLimit: 3,
 	otpExpirationTime: process.env.OTP_EXP_TIME, // In Seconds,
 	ADMIN_ROLE: 'admin',
+	TENANT_ADMIN_ROLE: 'tenant_admin',
 	ORG_ADMIN_ROLE: 'org_admin',
+	TENANT_ADMIN_ROLE: 'tenant_admin',
 	USER_ROLE: 'user',
 	SESSION_MANAGER_ROLE: 'session_manager',
 	PUBLIC_ROLE: 'public',

diff --git a/src/controllers/v1/admin.js b/src/controllers/v1/admin.js
@@ -38,6 +38,49 @@ module.exports = class Admin {
 		}
 	}
 
+	/**
+	 * Assigns a role to a user.
+	 *
+	 * Extracts `organization_code` and `tenant_code` from `req.decodedToken`
+	 * instead of the request body and delegates the actual role assignment
+	 * to the service layer. Performs only an admin-access check.
+	 *
+	 * @async
+	 * @function assignRole
+	 * @param {import('express').Request} req - Express request object
+	 * @param {Object} req.decodedToken - Decoded JWT payload
+	 * @param {string} req.decodedToken.organization_code - Organization code from token
+	 * @param {string} req.decodedToken.tenant_code - Tenant code from token
+	 * @param {Object} req.body - Request body containing assignment data
+	 * @param {number|string} req.body.user_id - Target user ID
+	 * @param {number|string} req.body.role_id - Role ID to assign
+	 * @param {number|string} [req.body.organization_id] - Optional organization ID
+	 * @returns {Promise<Object>} Service response object
+	 */
+
+	async assignRole(req) {
+		try {
+			if (!utilsHelper.validateRoleAccess(req.decodedToken.roles, common.ADMIN_ROLE)) {
+				throw responses.failureResponse({
+					message: 'USER_IS_NOT_A_ADMIN',
+					statusCode: httpStatusCode.bad_request,
+					responseCode: 'CLIENT_ERROR',
+				})
+			}
+
+			const params = {
+				organization_code: req.decodedToken.organization_code,
+				tenant_code: req.decodedToken.tenant_code,
+			}
+
+			// Pass token-derived params separately per new service pattern
+			const user = await adminService.assignRole(params, req.body)
+			return user
+		} catch (error) {
+			return error
+		}
+	}
+
 	/**
 	 * create admin users
 	 * @method

diff --git a/src/controllers/v1/notification.js b/src/controllers/v1/notification.js
@@ -29,7 +29,13 @@ module.exports = class NotificationTemplate {
 
 	async template(req) {
 		try {
-			if (!utilsHelper.validateRoleAccess(req.decodedToken.roles, [common.ADMIN_ROLE, common.ORG_ADMIN_ROLE])) {
+			if (
+				!utilsHelper.validateRoleAccess(req.decodedToken.roles, [
+					common.ADMIN_ROLE,
+					common.ORG_ADMIN_ROLE,
+					common.TENANT_ADMIN_ROLE,
+				])
+			) {
 				throw responses.failureResponse({
 					message: 'USER_IS_NOT_A_ADMIN',
 					statusCode: httpStatusCode.bad_request,

diff --git a/src/controllers/v1/org-admin.js b/src/controllers/v1/org-admin.js
@@ -21,7 +21,12 @@ module.exports = class OrgAdmin {
 	 */
 	async bulkUserCreate(req) {
 		try {
-			if (!utilsHelper.validateRoleAccess(req.decodedToken.roles, common.ORG_ADMIN_ROLE)) {
+			if (
+				!utilsHelper.validateRoleAccess(req.decodedToken.roles, [
+					common.ORG_ADMIN_ROLE,
+					common.TENANT_ADMIN_ROLE,
+				])
+			) {
 				throw responses.failureResponse({
 					message: 'USER_IS_NOT_A_ADMIN',
 					statusCode: httpStatusCode.bad_request,
@@ -48,7 +53,12 @@ module.exports = class OrgAdmin {
 	 */
 	async getBulkInvitesFilesList(req) {
 		try {
-			if (!utilsHelper.validateRoleAccess(req.decodedToken.roles, common.ORG_ADMIN_ROLE)) {
+			if (
+				!utilsHelper.validateRoleAccess(req.decodedToken.roles, [
+					common.ORG_ADMIN_ROLE,
+					common.TENANT_ADMIN_ROLE,
+				])
+			) {
 				throw responses.failureResponse({
 					message: 'USER_IS_NOT_A_ADMIN',
 					statusCode: httpStatusCode.bad_request,
@@ -72,7 +82,12 @@ module.exports = class OrgAdmin {
 	 */
 	async getRequestDetails(req) {
 		try {
-			if (!utilsHelper.validateRoleAccess(req.decodedToken.roles, common.ORG_ADMIN_ROLE)) {
+			if (
+				!utilsHelper.validateRoleAccess(req.decodedToken.roles, [
+					common.ORG_ADMIN_ROLE,
+					common.TENANT_ADMIN_ROLE,
+				])
+			) {
 				throw responses.failureResponse({
 					message: 'USER_IS_NOT_A_ADMIN',
 					statusCode: httpStatusCode.bad_request,
@@ -102,7 +117,12 @@ module.exports = class OrgAdmin {
 	 */
 	async getRequests(req) {
 		try {
-			if (!utilsHelper.validateRoleAccess(req.decodedToken.roles, common.ORG_ADMIN_ROLE)) {
+			if (
+				!utilsHelper.validateRoleAccess(req.decodedToken.roles, [
+					common.ORG_ADMIN_ROLE,
+					common.TENANT_ADMIN_ROLE,
+				])
+			) {
 				throw responses.failureResponse({
 					message: 'USER_IS_NOT_A_ADMIN',
 					statusCode: httpStatusCode.bad_request,
@@ -129,7 +149,12 @@ module.exports = class OrgAdmin {
 	 */
 	async updateRequestStatus(req) {
 		try {
-			if (!utilsHelper.validateRoleAccess(req.decodedToken.roles, common.ORG_ADMIN_ROLE)) {
+			if (
+				!utilsHelper.validateRoleAccess(req.decodedToken.roles, [
+					common.ORG_ADMIN_ROLE,
+					common.TENANT_ADMIN_ROLE,
+				])
+			) {
 				throw responses.failureResponse({
 					message: 'USER_IS_NOT_A_ADMIN',
 					statusCode: httpStatusCode.bad_request,
@@ -153,7 +178,12 @@ module.exports = class OrgAdmin {
 	 */
 	async deactivateUser(req) {
 		try {
-			if (!utilsHelper.validateRoleAccess(req.decodedToken.roles, common.ORG_ADMIN_ROLE)) {
+			if (
+				!utilsHelper.validateRoleAccess(req.decodedToken.roles, [
+					common.ORG_ADMIN_ROLE,
+					common.TENANT_ADMIN_ROLE,
+				])
+			) {
 				throw responses.failureResponse({
 					message: 'USER_IS_NOT_A_ADMIN',
 					statusCode: httpStatusCode.bad_request,
@@ -178,7 +208,12 @@ module.exports = class OrgAdmin {
 
 	async inheritEntityType(req) {
 		try {
-			if (!utilsHelper.validateRoleAccess(req.decodedToken.roles, common.ORG_ADMIN_ROLE)) {
+			if (
+				!utilsHelper.validateRoleAccess(req.decodedToken.roles, [
+					common.ORG_ADMIN_ROLE,
+					common.TENANT_ADMIN_ROLE,
+				])
+			) {
 				throw responses.failureResponse({
 					message: 'USER_IS_NOT_A_ADMIN',
 					statusCode: httpStatusCode.bad_request,

diff --git a/src/controllers/v1/organization-feature.js b/src/controllers/v1/organization-feature.js
@@ -89,7 +89,8 @@ module.exports = class OrganizationFeature {
 				  )
 				: await organizationFeatureService.list(
 						req.decodedToken.tenant_code,
-						req.decodedToken.organization_code
+						req.decodedToken.organization_code,
+						req.decodedToken.roles
 				  )
 		} catch (error) {
 			return error

diff --git a/src/controllers/v1/organization.js b/src/controllers/v1/organization.js
@@ -31,7 +31,7 @@ module.exports = class Organization {
 			let isAdmin = false
 			const roles = req.decodedToken.roles
 			if (roles && roles.length > 0) {
-				isAdmin = utilsHelper.validateRoleAccess(roles, common.ADMIN_ROLE)
+				isAdmin = utilsHelper.validateRoleAccess(roles, [common.ADMIN_ROLE, common.TENANT_ADMIN_ROLE])
 			}
 
 			if (!isAdmin) {
@@ -68,7 +68,7 @@ module.exports = class Organization {
 
 			if (roles && roles.length > 0) {
 				isAdmin = utilsHelper.validateRoleAccess(roles, common.ADMIN_ROLE)
-				isOrgAdmin = utilsHelper.validateRoleAccess(roles, common.ORG_ADMIN_ROLE)
+				isOrgAdmin = utilsHelper.validateRoleAccess(roles, [common.ORG_ADMIN_ROLE, common.TENANT_ADMIN_ROLE])
 			}
 
 			if (req.params.id != req.decodedToken.organization_id && isOrgAdmin) {
@@ -170,6 +170,7 @@ module.exports = class Organization {
 				isAdmin =
 					utilsHelper.validateRoleAccess(roles, common.ADMIN_ROLE) ||
 					utilsHelper.validateRoleAccess(roles, common.ORG_ADMIN_ROLE) ||
+					utilsHelper.validateRoleAccess(roles, common.TENANT_ADMIN_ROLE) ||
 					false
 			}
 			const result = await orgService.details(
@@ -215,7 +216,7 @@ module.exports = class Organization {
 
 			if (roles && roles.length > 0) {
 				isAdmin = utilsHelper.validateRoleAccess(roles, common.ADMIN_ROLE)
-				isOrgAdmin = utilsHelper.validateRoleAccess(roles, common.ORG_ADMIN_ROLE)
+				isOrgAdmin = utilsHelper.validateRoleAccess(roles, [common.ORG_ADMIN_ROLE, common.TENANT_ADMIN_ROLE])
 			}
 			if (!isAdmin && !isOrgAdmin) {
 				throw responses.failureResponse({
@@ -260,7 +261,7 @@ module.exports = class Organization {
 
 			if (roles && roles.length > 0) {
 				isAdmin = utilsHelper.validateRoleAccess(roles, common.ADMIN_ROLE)
-				isOrgAdmin = utilsHelper.validateRoleAccess(roles, common.ORG_ADMIN_ROLE)
+				isOrgAdmin = utilsHelper.validateRoleAccess(roles, [common.ORG_ADMIN_ROLE, common.TENANT_ADMIN_ROLE])
 			}
 			if (!isAdmin && !isOrgAdmin) {
 				throw responses.failureResponse({

diff --git a/src/database/migrations/20251002164809-create-feature-role-mapping-table.js b/src/database/migrations/20251002164809-create-feature-role-mapping-table.js
@@ -0,0 +1,61 @@
+'use strict'
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+	async up(queryInterface, Sequelize) {
+		await queryInterface.createTable('feature_role_mapping', {
+			id: {
+				type: Sequelize.INTEGER,
+				allowNull: false,
+				autoIncrement: true,
+			},
+			feature_code: {
+				type: Sequelize.STRING,
+				allowNull: false,
+			},
+			role_title: {
+				type: Sequelize.STRING,
+				allowNull: false,
+			},
+			organization_code: {
+				type: Sequelize.STRING,
+				allowNull: false,
+			},
+			tenant_code: {
+				type: Sequelize.STRING,
+				allowNull: false,
+			},
+			created_by: {
+				type: Sequelize.INTEGER,
+				allowNull: false,
+			},
+			updated_by: {
+				type: Sequelize.INTEGER,
+				allowNull: true,
+			},
+			created_at: {
+				allowNull: false,
+				type: Sequelize.DATE,
+			},
+			updated_at: {
+				allowNull: false,
+				type: Sequelize.DATE,
+			},
+			deleted_at: {
+				allowNull: true,
+				type: Sequelize.DATE,
+			},
+		})
+
+		// Add composite primary key
+		await queryInterface.addConstraint('feature_role_mapping', {
+			fields: ['id', 'tenant_code'],
+			type: 'primary key',
+			name: 'pk_feature_role_mapping',
+		})
+	},
+
+	async down(queryInterface) {
+		await queryInterface.dropTable('feature_role_mapping')
+	},
+}