Security & Roles
User Roles0
Security Layers0CSRF, bcrypt, session, headers, PDO
Password Cost12bcrypt rounds
Role-Based Access Control
Six predefined roles govern access to every feature of the platform. All authentication uses bcrypt (cost 12), CSRF tokens protect every form, and PDO prepared statements prevent SQL injection.
| Capability | Super Admin | Admin | Operator | Family | Responder | Safety Officer |
|---|---|---|---|---|---|---|
| Create org/users | ✓ | ✓ | — | — | — | — |
| Manage devices | ✓ | ✓ | ✓ | — | — | — |
| View alerts/incidents | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Acknowledge/resolve | ✓ | ✓ | ✓ | — | ✓ | ✓ |
| Assign incidents | ✓ | ✓ | ✓ | — | — | ✓ |
| View reports/exports | ✓ | ✓ | ✓ | — | — | — |
| Manage contacts | ✓ | ✓ | — | — | — | — |
| Mobile API access | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
🔒 Security Architecture
All passwords hashed with password_hash() at cost 12. Every state-changing form includes a CSRF token. All database queries use PDO prepared statements. Session cookies are HttpOnly + SameSite=Strict. API tokens are hashed before storage — plaintext is returned only once at creation.