This implementation ensures that unapproved faculty members can only send notifications to administrators. The changes include both backend validation and frontend UI updates to enforce this restriction.
- File:
backend/controllers/notifications.js - Change: Added faculty approval check in the
sendNotificationfunction - Details:
- Before processing any notification, the system now checks if the faculty's account is approved
- For unapproved faculty, only allows sending to individual administrators
- Validates that all recipients are administrators for unapproved faculty
- Returns a 403 status with a clear error message if the restriction is violated
- Error message: "Unapproved faculty can only send notifications to administrators. Please contact an administrator for approval."
- File:
backend/routes/notifications.js - Change: Added
getAllAdminsroute for faculty to access admin list - Details:
- Added
getAllAdminsfunction import - Added route
/api/notifications/adminsaccessible by faculty - Allows faculty to get the list of administrators for notification targeting
- Added
- File:
backend/controllers/admin.js - Change: Added
getAllAdminsfunction - Details:
- Created function to fetch all admin users with their details
- Formats admin data for frontend consumption
- Includes user ID mapping for notification targeting
- File:
frontend/src/components/SendNotificationModal.js - Changes:
- Added warning alert for unapproved faculty
- Restricted recipient type options for unapproved faculty
- Added admin selection interface for unapproved faculty
- Updated recipient count display for admin selection
- Added automatic recipient type setting for unapproved faculty
- File:
frontend/src/services/notificationService.js - Change: Added
getAllAdminsmethod - Details:
- Added method to fetch all administrators from the backend
- Uses the new
/api/notifications/adminsendpoint - Handles errors appropriately
- Warning Banner: A prominent warning banner appears at the top of the notification modal
- Restricted Options: Only "Administrators Only" option is available in recipient type dropdown
- Admin Selection: A dedicated admin selection interface allows choosing specific administrators
- Clear Messaging: All UI elements clearly indicate the restriction and guide the user
- Automatic Setup: Recipient type is automatically set to "individual" for admin selection
- No changes to existing functionality
- All notification features work as before
- No changes to existing functionality
- Can still send notifications to any recipients
- Server-side Check: Faculty approval status is verified on the server before processing notifications
- Recipient Validation: Ensures unapproved faculty can only send to administrators
- Clear Error Messages: Provides helpful error messages without exposing sensitive information
- UI Restrictions: Prevents unapproved faculty from selecting inappropriate recipient types
- Client-side Checks: Validates form data before submission
- User Guidance: Clear messaging helps users understand restrictions
GET /api/notifications/admins- Get all administrators (faculty access)- Enhanced
POST /api/notifications/send- Now includes faculty approval validation
POST /api/notifications/send- Added faculty approval check
The implementation uses the existing approved field in the Faculty model:
{
approved: { type: Boolean, default: false }
}- 403 Forbidden: When unapproved faculty tries to send to non-admin recipients
- 400 Bad Request: When no valid recipients are found
- 404 Not Found: When sender or recipients are not found
- User-friendly Messages: Clear error messages displayed in the UI
- Form Validation: Prevents submission of invalid data
- Loading States: Proper loading indicators during API calls
- Unapproved Faculty: Should only be able to send notifications to administrators
- Approved Faculty: Should have full notification functionality
- Administrators: Should have no restrictions
- Error Handling: Should display appropriate error messages
- UI Restrictions: Should prevent inappropriate selections
backend/controllers/notifications.js- Added approval check and getAllAdmins functionbackend/routes/notifications.js- Added admin routebackend/controllers/admin.js- Added getAllAdmins functionfrontend/src/components/SendNotificationModal.js- Updated UI for restrictionsfrontend/src/services/notificationService.js- Added getAllAdmins method
- Faculty opens notification modal
- Warning banner appears explaining restriction
- Recipient type is automatically set to "Administrators Only"
- Faculty selects specific administrators from dropdown
- Faculty composes and sends notification
- Backend validates faculty approval and recipient types
- Notification is sent only to selected administrators
// Backend response for unapproved faculty trying to send to students
{
"success": false,
"message": "Unapproved faculty can only send notifications to administrators. Please contact an administrator for approval."
}- Backend validation ensures that even if frontend restrictions are bypassed, unapproved faculty cannot send inappropriate notifications
- Clear error messages help faculty understand why their notification was rejected
- No sensitive information is exposed in error messages
- Proper authorization checks on all endpoints
- Add notification templates for common admin communication scenarios
- Implement notification approval workflow for unapproved faculty
- Add notification history tracking for audit purposes
- Consider adding notification categories specific to admin communication