Started implementing the roles permissions

2024-10-10 19:13:18 +01:00
parent c43ab9a911
commit 55204e2ce1
67 changed files with 1357 additions and 1134 deletions
--- a/src/components/High/Layout.tsx
+++ b/src/components/High/Layout.tsx
@@ -1,7 +1,7 @@
 import {User} from "@/interfaces/user";
 import clsx from "clsx";
 import {useRouter} from "next/router";
-import BottomBar from "../BottomBar";
+import { ToastContainer } from "react-toastify";
 import Navbar from "../Navbar";
 import Sidebar from "../Sidebar";

@@ -20,6 +20,7 @@ export default function Layout({user, children, className, bgColor="bg-white", n

 	return (
 		<main className={clsx("w-full min-h-full h-screen flex flex-col bg-mti-gray-smoke relative")}>
+			<ToastContainer />
 			<Navbar
 				path={router.pathname}
 				user={user}
--- a/src/components/Sidebar.tsx
+++ b/src/components/Sidebar.tsx
@@ -167,16 +167,6 @@ export default function Sidebar({ path, navDisabled = false, focusMode = false,
            isMinimized={isMinimized}
          />
        )}
-        {checkAccess(user, ["developer", "admin", "corporate", "mastercorporate", "agent"]) && (
-          <Nav
-            disabled={disableNavigation}
-            Icon={BsFileLock}
-            label="Permissions"
-            path={path}
-            keyPath="/permissions"
-            isMinimized={isMinimized}
-          />
-        )}
      </div>
      <div className="-xl:flex flex-col gap-3 xl:hidden">
        <Nav disabled={disableNavigation} Icon={MdSpaceDashboard} label="Dashboard" path={path} keyPath="/" isMinimized={true} />
@@ -194,9 +184,6 @@ export default function Sidebar({ path, navDisabled = false, focusMode = false,
        {checkAccess(user, getTypesOfUser(["student"])) && (
          <Nav disabled={disableNavigation} Icon={BsShieldFill} label="Settings" path={path} keyPath="/settings" isMinimized={true} />
        )}
-        {checkAccess(user, getTypesOfUser(["student"])) && (
-          <Nav disabled={disableNavigation} Icon={BsShieldFill} label="Permissions" path={path} keyPath="/permissions" isMinimized={true} />
-        )}
        {checkAccess(user, ["developer"]) && (
          <>
            <Nav
--- a/src/hooks/useEntities.tsx
+++ b/src/hooks/useEntities.tsx
@@ -4,7 +4,7 @@ import { Code, Group, User } from "@/interfaces/user";
 import axios from "axios";
 import { useEffect, useState } from "react";

-export default function useEntities(creator?: string) {
+export default function useEntities() {
  const [entities, setEntities] = useState<EntityWithRoles[]>([]);
  const [isLoading, setIsLoading] = useState(false);
  const [isError, setIsError] = useState(false);
@@ -17,7 +17,7 @@ export default function useEntities(creator?: string) {
      .finally(() => setIsLoading(false));
  };

-  useEffect(getData, [creator]);
+  useEffect(getData, []);

  return { entities, isLoading, isError, reload: getData };
 }
--- a/src/hooks/useEntityPermissions.tsx
+++ b/src/hooks/useEntityPermissions.tsx
@@ -0,0 +1,16 @@
+import { EntityWithRoles } from "@/interfaces/entity";
+import { User } from "@/interfaces/user";
+import { RolePermission } from "@/resources/entityPermissions";
+import { mapBy } from "@/utils";
+import { doesEntityAllow, findAllowedEntities } from "@/utils/permissions";
+import { useMemo, useState } from "react";
+
+export const useAllowedEntities = (user: User, entities: EntityWithRoles[], permission: RolePermission) => {
+	const allowedEntityIds = useMemo(() => findAllowedEntities(user, entities, permission), [user, entities, permission])
+	return allowedEntityIds
+}
+
+export const useEntityPermission = (user: User, entity: EntityWithRoles, permission: RolePermission) => {
+	const isAllowed = useMemo(() => doesEntityAllow(user, entity, permission), [user, entity, permission])
+	return isAllowed
+}
--- a/src/interfaces/entity.ts
+++ b/src/interfaces/entity.ts
@@ -8,6 +8,7 @@ export interface Role {
  entityID: string;
  permissions: string[];
  label: string;
+  isDefault?: boolean
 }

 export interface EntityWithRoles extends Entity {
--- a/src/pages/(admin)/Lists/CodeList.tsx
+++ b/src/pages/(admin)/Lists/CodeList.tsx
@@ -29,7 +29,7 @@ const CreatorCell = ({id, users}: {id: string; users: User[]}) => {
 	return (
 		<>
 			{(creatorUser?.type === "corporate" ? creatorUser?.corporateInformation?.companyInformation?.name : creatorUser?.name || "N/A") || "N/A"}{" "}
-			{creatorUser && `(${USER_TYPE_LABELS[creatorUser.type]})`}
+			{creatorUser && `(${USER_TYPE_LABELS[creatorUser?.type]})`}
 		</>
 	);
 };
@@ -216,10 +216,10 @@ export default function CodeList({user}: {user: User}) {
 							filteredCorporate
 								? {
 										label: `${
-											filteredCorporate.type === "corporate"
+											filteredCorporate?.type === "corporate"
 												? filteredCorporate.corporateInformation?.companyInformation?.name || filteredCorporate.name
 												: filteredCorporate.name
-										} (${USER_TYPE_LABELS[filteredCorporate.type]})`,
+										} (${USER_TYPE_LABELS[filteredCorporate?.type]})`,
 										value: filteredCorporate.id,
 								  }
 								: null
--- a/src/pages/(admin)/Lists/GroupList.tsx
+++ b/src/pages/(admin)/Lists/GroupList.tsx
@@ -47,9 +47,9 @@ const CreatePanel = ({ user, users, group, onClose }: CreateDialogProps) => {
  });

  const availableUsers = useMemo(() => {
-    if (user.type === "teacher") return users.filter((x) => ["student"].includes(x.type));
-    if (user.type === "corporate") return users.filter((x) => ["teacher", "student"].includes(x.type));
-    if (user.type === "mastercorporate") return users.filter((x) => ["corporate", "teacher", "student"].includes(x.type));
+    if (user?.type === "teacher") return users.filter((x) => ["student"].includes(x.type));
+    if (user?.type === "corporate") return users.filter((x) => ["teacher", "student"].includes(x.type));
+    if (user?.type === "mastercorporate") return users.filter((x) => ["corporate", "teacher", "student"].includes(x.type));

    return users;
  }, [user, users]);
--- a/src/pages/(admin)/Lists/UserList.tsx
+++ b/src/pages/(admin)/Lists/UserList.tsx
@@ -17,13 +17,13 @@ import useFilterStore from "@/stores/listFilterStore";
 import { useRouter } from "next/router";
 import { mapBy } from "@/utils";
 import { exportListToExcel } from "@/utils/users";
-import { checkAccess } from "@/utils/permissions";
-import { PermissionType } from "@/interfaces/permissions";
 import usePermissions from "@/hooks/usePermissions";
 import useUserBalance from "@/hooks/useUserBalance";
 import useEntitiesUsers from "@/hooks/useEntitiesUsers";
 import { WithLabeledEntities } from "@/interfaces/entity";
 import Table from "@/components/High/Table";
+import useEntities from "@/hooks/useEntities";
+import { useAllowedEntities } from "@/hooks/useEntityPermissions";

 const columnHelper = createColumnHelper<WithLabeledEntities<User>>();
 const searchFields = [["name"], ["email"], ["entities", ""]];
@@ -43,10 +43,24 @@ export default function UserList({
  const [selectedUser, setSelectedUser] = useState<User>();

  const { users, reload } = useEntitiesUsers(type)
+  const { entities } = useEntities()

-  const { permissions } = usePermissions(user?.id || "");
  const { balance } = useUserBalance();

+  const isAdmin = useMemo(() => ["admin", "developer"].includes(user?.type), [user?.type])
+
+  const entitiesEditStudents = useAllowedEntities(user, entities, "edit_students")
+  const entitiesDeleteStudents = useAllowedEntities(user, entities, "delete_students")
+
+  const entitiesEditTeachers = useAllowedEntities(user, entities, "edit_teachers")
+  const entitiesDeleteTeachers = useAllowedEntities(user, entities, "delete_teachers")
+
+  const entitiesEditCorporates = useAllowedEntities(user, entities, "edit_corporates")
+  const entitiesDeleteCorporates = useAllowedEntities(user, entities, "delete_corporates")
+
+  const entitiesEditMasterCorporates = useAllowedEntities(user, entities, "edit_mastercorporates")
+  const entitiesDeleteMasterCorporates = useAllowedEntities(user, entities, "delete_mastercorporates")
+
  const appendUserFilters = useFilterStore((state) => state.appendUserFilter);
  const router = useRouter();

@@ -115,23 +129,41 @@ export default function UserList({
      });
  };

+  const getEditPermission = (type: Type) => {
+ 		if (type === "student") return entitiesEditStudents
+ 		if (type === "teacher") return entitiesEditTeachers
+  	if (type === "corporate") return entitiesEditCorporates
+  	if (type === "mastercorporate") return entitiesEditMasterCorporates
+
+   	return []
+  }
+
+  const getDeletePermission = (type: Type) => {
+ 		if (type === "student") return entitiesDeleteStudents
+ 		if (type === "teacher") return entitiesDeleteTeachers
+  	if (type === "corporate") return entitiesDeleteCorporates
+  	if (type === "mastercorporate") return entitiesDeleteMasterCorporates
+
+   	return []
+  }
+
+  const canEditUser = (u: User) =>
+  	isAdmin || u.entities.some(e => mapBy(getEditPermission(u.type), 'id').includes(e.id))
+  const canDeleteUser = (u: User) =>
+  	isAdmin || u.entities.some(e => mapBy(getDeletePermission(u.type), 'id').includes(e.id))
+
  const actionColumn = ({ row }: { row: { original: User } }) => {
-    const updateUserPermission = PERMISSIONS.updateUser[row.original.type] as {
-      list: Type[];
-      perm: PermissionType;
-    };
-    const deleteUserPermission = PERMISSIONS.deleteUser[row.original.type] as {
-      list: Type[];
-      perm: PermissionType;
-    };
+		const canEdit = canEditUser(row.original)
+		const canDelete = canDeleteUser(row.original)
+
    return (
      <div className="flex gap-4">
-        {!row.original.isVerified && checkAccess(user, updateUserPermission.list, permissions, updateUserPermission.perm) && (
+        {!row.original.isVerified && canEdit && (
          <div data-tip="Verify User" className="cursor-pointer tooltip" onClick={() => verifyAccount(row.original)}>
            <BsCheck className="hover:text-mti-purple-light transition ease-in-out duration-300" />
          </div>
        )}
-        {checkAccess(user, updateUserPermission.list, permissions, updateUserPermission.perm) && (
+        {canEdit && (
          <div
            data-tip={row.original.status === "disabled" ? "Enable User" : "Disable User"}
            className="cursor-pointer tooltip"
@@ -143,7 +175,7 @@ export default function UserList({
            )}
          </div>
        )}
-        {checkAccess(user, deleteUserPermission.list, permissions, deleteUserPermission.perm) && (
+        {canDelete && (
          <div data-tip="Delete" className="cursor-pointer tooltip" onClick={() => deleteAccount(row.original)}>
            <BsTrash className="hover:text-mti-purple-light transition ease-in-out duration-300" />
          </div>
@@ -158,11 +190,11 @@ export default function UserList({
      cell: ({ row, getValue }) => (
        <div
          className={clsx(
-            checkAccess(user, ["admin", "corporate", "developer", "mastercorporate"]) &&
+            canEditUser(row.original) &&
            "underline text-mti-purple-light hover:text-mti-purple-dark transition ease-in-out duration-300 cursor-pointer",
          )}
          onClick={() =>
-            checkAccess(user, ["admin", "corporate", "developer", "mastercorporate"]) ? setSelectedUser(row.original) : null
+            canEditUser(row.original) ? setSelectedUser(row.original) : null
          }>
          {getValue()}
        </div>
@@ -218,11 +250,11 @@ export default function UserList({
      cell: ({ row, getValue }) => (
        <div
          className={clsx(
-            checkAccess(user, ["admin", "corporate", "developer", "mastercorporate"]) &&
+            canEditUser(row.original) &&
            "underline text-mti-purple-light hover:text-mti-purple-dark transition ease-in-out duration-300 cursor-pointer",
          )}
          onClick={() =>
-            checkAccess(user, ["admin", "corporate", "developer", "mastercorporate"]) ? setSelectedUser(row.original) : null
+            canEditUser(row.original) ? setSelectedUser(row.original) : null
          }>
          {getValue()}
        </div>
@@ -233,10 +265,10 @@ export default function UserList({
      cell: ({ row, getValue }) => (
        <div
          className={clsx(
-            PERMISSIONS.updateExpiryDate[row.original.type]?.includes(user.type) &&
+            canEditUser(row.original) &&
            "underline text-mti-purple-light hover:text-mti-purple-dark transition ease-in-out duration-300 cursor-pointer",
          )}
-          onClick={() => (PERMISSIONS.updateExpiryDate[row.original.type]?.includes(user.type) ? setSelectedUser(row.original) : null)}>
+          onClick={() => (canEditUser(row.original) ? setSelectedUser(row.original) : null)}>
          {getValue()}
        </div>
      ),
--- a/src/pages/api/entities/[id]/index.ts
+++ b/src/pages/api/entities/[id]/index.ts
@@ -2,9 +2,12 @@
 import type {NextApiRequest, NextApiResponse} from "next";
 import {withIronSessionApiRoute} from "iron-session/next";
 import {sessionOptions} from "@/lib/session";
-import {getEntity, getEntityWithRoles} from "@/utils/entities.be";
+import {deleteEntity, getEntity, getEntityWithRoles} from "@/utils/entities.be";
 import client from "@/lib/mongodb";
 import {Entity} from "@/interfaces/entity";
+import { doesEntityAllow } from "@/utils/permissions";
+import { getUser } from "@/utils/users.be";
+import { requestUser } from "@/utils/api";

 const db = client.db(process.env.MONGODB_DB);

@@ -16,10 +19,8 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
 }

 async function get(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ok: false});
-		return;
-	}
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

 	const {id, showRoles} = req.query as {id: string; showRoles: string};

@@ -27,15 +28,27 @@ async function get(req: NextApiRequest, res: NextApiResponse) {
 	res.status(200).json(entity);
 }

+async function del(req: NextApiRequest, res: NextApiResponse) {
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });
+
+	const { id } = req.query as { id: string };
+
+	const entity = await getEntityWithRoles(id)
+	if (!entity) return res.status(404).json({ok: false})
+
+	if (!doesEntityAllow(user, entity, "delete_entity_role")) return res.status(403).json({ok: false})
+
+	await deleteEntity(entity)
+	return res.status(200).json({ok: true});
+}
+
 async function patch(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ok: false});
-		return;
-	}
+	const user = await requestUser(req, res)
+		if (!user) return res.status(401).json({ ok: false });

 	const {id} = req.query as {id: string};

-	const user = req.session.user;
 	if (!user.entities.map((x) => x.id).includes(id)) {
 		return res.status(403).json({ok: false});
 	}
--- a/src/pages/api/entities/groups.ts
+++ b/src/pages/api/entities/groups.ts
@@ -6,9 +6,10 @@ import { getEntities, getEntitiesWithRoles } from "@/utils/entities.be";
 import { Entity, WithEntities, WithEntity, WithLabeledEntities } from "@/interfaces/entity";
 import { v4 } from "uuid";
 import { mapBy } from "@/utils";
-import { getEntitiesUsers, getUsers } from "@/utils/users.be";
+import { getEntitiesUsers, getUser, getUsers } from "@/utils/users.be";
 import { Group, User } from "@/interfaces/user";
 import { getGroups, getGroupsByEntities } from "@/utils/groups.be";
+import { requestUser } from "@/utils/api";

 export default withIronSessionApiRoute(handler, sessionOptions);

@@ -17,12 +18,8 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
 }

 async function get(req: NextApiRequest, res: NextApiResponse) {
-  if (!req.session.user) {
-    res.status(401).json({ ok: false });
-    return;
-  }
-
-  const user = req.session.user;
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

  const groups: WithEntity<Group>[] = ["admin", "developer"].includes(user.type)
    ? await getGroups()
--- a/src/pages/api/entities/index.ts
+++ b/src/pages/api/entities/index.ts
@@ -2,9 +2,10 @@
 import type {NextApiRequest, NextApiResponse} from "next";
 import {withIronSessionApiRoute} from "iron-session/next";
 import {sessionOptions} from "@/lib/session";
-import {getEntities, getEntitiesWithRoles} from "@/utils/entities.be";
+import {createEntity, getEntities, getEntitiesWithRoles} from "@/utils/entities.be";
 import {Entity} from "@/interfaces/entity";
 import {v4} from "uuid";
+import { requestUser } from "@/utils/api";

 export default withIronSessionApiRoute(handler, sessionOptions);

@@ -14,12 +15,9 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
 }

 async function get(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ok: false});
-		return;
-	}
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

-	const user = req.session.user;
 	const {showRoles} = req.query as {showRoles: string};

 	const getFn = showRoles ? getEntitiesWithRoles : getEntities;
@@ -29,12 +27,9 @@ async function get(req: NextApiRequest, res: NextApiResponse) {
 }

 async function post(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ok: false});
-		return;
-	}
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

-	const user = req.session.user;
 	if (!["admin", "developer"].includes(user.type)) {
 		return res.status(403).json({ok: false});
 	}
@@ -44,5 +39,6 @@ async function post(req: NextApiRequest, res: NextApiResponse) {
 		label: req.body.label,
 	};

+	await createEntity(entity)
 	return res.status(200).json(entity);
 }
--- a/src/pages/api/entities/users.ts
+++ b/src/pages/api/entities/users.ts
@@ -3,11 +3,13 @@ import type { NextApiRequest, NextApiResponse } from "next";
 import { withIronSessionApiRoute } from "iron-session/next";
 import { sessionOptions } from "@/lib/session";
 import { getEntities, getEntitiesWithRoles } from "@/utils/entities.be";
-import { Entity, WithEntities, WithLabeledEntities } from "@/interfaces/entity";
+import { Entity, EntityWithRoles, WithEntities, WithLabeledEntities } from "@/interfaces/entity";
 import { v4 } from "uuid";
 import { mapBy } from "@/utils";
-import { getEntitiesUsers, getUsers } from "@/utils/users.be";
+import { getEntitiesUsers, getUser, getUsers } from "@/utils/users.be";
 import { User } from "@/interfaces/user";
+import { findAllowedEntities } from "@/utils/permissions";
+import { RolePermission } from "@/resources/entityPermissions";

 export default withIronSessionApiRoute(handler, sessionOptions);

@@ -15,33 +17,47 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
  if (req.method === "GET") return await get(req, res);
 }

-async function get(req: NextApiRequest, res: NextApiResponse) {
-  if (!req.session.user) {
-    res.status(401).json({ ok: false });
-    return;
-  }
+const labelUserEntity = (u: User, entities: EntityWithRoles[]) => ({
+  ...u, entities: (u.entities || []).map((e) => {
+    const entity = entities.find((x) => x.id === e.id)
+    if (!entity) return e

-  const user = req.session.user;
+    const role = entity.roles.find((x) => x.id === e.role)
+    return { id: e.id, label: entity.label, role: e.role, roleLabel: role?.label }
+  })
+})
+
+async function get(req: NextApiRequest, res: NextApiResponse) {
+  if (!req.session.user) return res.status(401).json({ ok: false });
+
+  const user = await getUser(req.session.user.id)
+  if (!user) return res.status(401).json({ ok: false });

  const { type } = req.query as { type: string }
-  const entities = await getEntitiesWithRoles(mapBy(user.entities || [], 'id'))
+
+  const entityIDs = mapBy(user.entities || [], 'id')
+  const entities = await getEntitiesWithRoles(entityIDs)
+
+  const isAdmin = ["admin", "developer"].includes(user.type)

  const filter = !type ? undefined : { type }
-  const users = ["admin", "developer"].includes(user.type)
+  const users = isAdmin
    ? await getUsers(filter)
    : await getEntitiesUsers(mapBy(entities, 'id') as string[], filter)

-  const usersWithEntities: WithLabeledEntities<User>[] = users.map((u) => {
-    return {
-      ...u, entities: (u.entities || []).map((e) => {
-        const entity = entities.find((x) => x.id === e.id)
-        if (!entity) return e
+  const filteredUsers = users.map((u) => {
+  	if (isAdmin) return labelUserEntity(u, entities)
+  	if (!isAdmin && ["admin", "developer", "agent"].includes(user.type)) return undefined

-        const role = entity.roles.find((x) => x.id === e.role)
-        return { id: e.id, label: entity.label, role: e.role, roleLabel: role?.label }
-      })
-    }
-  })
+   	const userEntities = mapBy(u.entities || [], 'id')
+    const sameEntities = entities.filter(e => userEntities.includes(e.id))

-  res.status(200).json(usersWithEntities);
+    const permission = `view_${u.type}s` as RolePermission
+    const allowedEntities = findAllowedEntities(user, sameEntities, permission)
+
+    if (allowedEntities.length === 0) return undefined
+    return labelUserEntity(u, allowedEntities)
+  }).filter(x => !!x) as WithLabeledEntities<User>[]
+
+  res.status(200).json(filteredUsers);
 }
--- a/src/pages/api/groups/[id].ts
+++ b/src/pages/api/groups/[id].ts
@@ -5,6 +5,7 @@ import {withIronSessionApiRoute} from "iron-session/next";
 import {sessionOptions} from "@/lib/session";
 import {Group} from "@/interfaces/user";
 import {updateExpiryDateOnGroup} from "@/utils/groups.be";
+import { requestUser } from "@/utils/api";

 const db = client.db(process.env.MONGODB_DB);

@@ -19,10 +20,8 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
 }

 async function get(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ok: false});
-		return;
-	}
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

 	const {id} = req.query as {id: string};

@@ -36,10 +35,8 @@ async function get(req: NextApiRequest, res: NextApiResponse) {
 }

 async function del(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ok: false});
-		return;
-	}
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

 	const {id} = req.query as {id: string};
 	const group = await db.collection("groups").findOne<Group>({id: id});
@@ -49,7 +46,6 @@ async function del(req: NextApiRequest, res: NextApiResponse) {
 		return;
 	}

-	const user = req.session.user;
 	if (user.type === "admin" || user.type === "developer" || user.id === group.admin) {
 		await db.collection("groups").deleteOne({id: id});

@@ -61,10 +57,8 @@ async function del(req: NextApiRequest, res: NextApiResponse) {
 }

 async function patch(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ok: false});
-		return;
-	}
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

 	const {id} = req.query as {id: string};

@@ -74,7 +68,6 @@ async function patch(req: NextApiRequest, res: NextApiResponse) {
 		return;
 	}

-	const user = req.session.user;
 	if (
 		user.type === "admin" ||
 		user.type === "developer" ||
--- a/src/pages/api/invites/[id].ts
+++ b/src/pages/api/invites/[id].ts
@@ -4,6 +4,7 @@ import client from "@/lib/mongodb";
 import { withIronSessionApiRoute } from "iron-session/next";
 import { sessionOptions } from "@/lib/session";
 import { Invite } from "@/interfaces/invite";
+import { requestUser } from "@/utils/api";

 const db = client.db(process.env.MONGODB_DB);

@@ -18,10 +19,8 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
 }

 async function get(req: NextApiRequest, res: NextApiResponse) {
-  if (!req.session.user) {
-    res.status(401).json({ ok: false });
-    return;
-  }
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

  const { id } = req.query as { id: string };

@@ -35,10 +34,8 @@ async function get(req: NextApiRequest, res: NextApiResponse) {
 }

 async function del(req: NextApiRequest, res: NextApiResponse) {
-  if (!req.session.user) {
-    res.status(401).json({ ok: false });
-    return;
-  }
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

  const { id } = req.query as { id: string };

@@ -48,7 +45,6 @@ async function del(req: NextApiRequest, res: NextApiResponse) {
    return;
  }

-  const user = req.session.user;
  if (user.type === "admin" || user.type === "developer") {
    await db.collection("invites").deleteOne({ id: id });
    res.status(200).json({ ok: true });
@@ -59,13 +55,10 @@ async function del(req: NextApiRequest, res: NextApiResponse) {
 }

 async function patch(req: NextApiRequest, res: NextApiResponse) {
-  if (!req.session.user) {
-    res.status(401).json({ ok: false });
-    return;
-  }
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

  const { id } = req.query as { id: string };
-  const user = req.session.user;

  if (user.type === "admin" || user.type === "developer") {
    await db.collection("invites").updateOne(
--- a/src/pages/api/payments/[id].ts
+++ b/src/pages/api/payments/[id].ts
@@ -7,6 +7,7 @@ import {Group} from "@/interfaces/user";
 import {Payment} from "@/interfaces/paypal";
 import {deleteObject, ref} from "firebase/storage";
 import client from "@/lib/mongodb";
+import { requestUser } from "@/utils/api";

 const db = client.db(process.env.MONGODB_DB);

@@ -38,17 +39,14 @@ async function get(req: NextApiRequest, res: NextApiResponse) {
 }

 async function del(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ok: false});
-		return;
-	}
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

 	const {id} = req.query as {id: string};

 	const payment = await db.collection("payments").findOne<Payment>({id});
 	if (!payment) return res.status(404).json({ok: false});

-	const user = req.session.user;
 	if (user.type === "admin" || user.type === "developer") {
 		if (payment.commissionTransfer) await deleteObject(ref(storage, payment.commissionTransfer));
 		if (payment.corporateTransfer) await deleteObject(ref(storage, payment.corporateTransfer));
@@ -62,17 +60,14 @@ async function del(req: NextApiRequest, res: NextApiResponse) {
 }

 async function patch(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ok: false});
-		return;
-	}
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

 	const {id} = req.query as {id: string};

 	const payment = await db.collection("payments").findOne<Payment>({id});
 	if (!payment) return res.status(404).json({ok: false});

-	const user = req.session.user;
 	if (user.type === "admin" || user.type === "developer") {
 		await db.collection("payments").updateOne({id: payment.id}, {$set: req.body});

--- a/src/pages/api/paypal/approve.ts
+++ b/src/pages/api/paypal/approve.ts
@@ -11,6 +11,7 @@ import { OrderResponseBody } from "@paypal/paypal-js";
 import { getAccessToken } from "@/utils/paypal";
 import moment from "moment";
 import { Group } from "@/interfaces/user";
+import { requestUser } from "@/utils/api";

 const db = client.db(process.env.MONGODB_DB);

@@ -25,6 +26,9 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
  if (!accessToken)
    return res.status(401).json({ ok: false, reason: "Authorization failed!" });

+  const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });
+
  const { id, duration, duration_unit, trackingId } = req.body as {
    id: string;
    duration: number;
--- a/src/pages/api/roles/[id]/index.ts
+++ b/src/pages/api/roles/[id]/index.ts
@@ -0,0 +1,79 @@
+// Next.js API route support: https://nextjs.org/docs/api-routes/introduction
+import type {NextApiRequest, NextApiResponse} from "next";
+import {withIronSessionApiRoute} from "iron-session/next";
+import {sessionOptions} from "@/lib/session";
+import {getEntityWithRoles} from "@/utils/entities.be";
+import client from "@/lib/mongodb";
+import {Entity} from "@/interfaces/entity";
+import { deleteRole, getRole, transferRole } from "@/utils/roles.be";
+import { doesEntityAllow } from "@/utils/permissions";
+import { findBy } from "@/utils";
+import { requestUser } from "@/utils/api";
+
+const db = client.db(process.env.MONGODB_DB);
+
+export default withIronSessionApiRoute(handler, sessionOptions);
+
+async function handler(req: NextApiRequest, res: NextApiResponse) {
+	if (req.method === "GET") return await get(req, res);
+	if (req.method === "PATCH") return await patch(req, res);
+	if (req.method === "DELETE") return await del(req, res);
+}
+
+async function get(req: NextApiRequest, res: NextApiResponse) {
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });
+
+	const {id} = req.query as {id: string};
+
+	const role = await getRole(id)
+	if (!role) return res.status(404).json({ok: false})
+
+	res.status(200).json(role);
+}
+
+async function del(req: NextApiRequest, res: NextApiResponse) {
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });
+
+	const { id } = req.query as { id: string };
+
+	const role = await getRole(id)
+	if (!role) return res.status(404).json({ok: false})
+
+	if (role.isDefault) return res.status(403).json({ok: false})
+
+	const entity = await getEntityWithRoles(role.entityID)
+	if (!entity) return res.status(404).json({ok: false})
+
+	if (!doesEntityAllow(user, entity, "delete_entity_role")) return res.status(403).json({ok: false})
+
+	const defaultRole = findBy(entity.roles, 'isDefault', true)!
+
+	await transferRole(role.id, defaultRole.id)
+	await deleteRole(role.id)
+
+	return res.status(200).json({ok: true});
+}
+
+async function patch(req: NextApiRequest, res: NextApiResponse) {
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });
+
+	const { id } = req.query as { id: string };
+	const {label, permissions} = req.body as {label?: string, permissions?: string}
+
+	const role = await getRole(id)
+	if (!role) return res.status(404).json({ok: false})
+
+	const entity = await getEntityWithRoles(role.entityID)
+	if (!entity) return res.status(404).json({ok: false})
+
+	if (!doesEntityAllow(user, entity, "rename_entity_role") && !!label) return res.status(403).json({ok: false})
+	if (!doesEntityAllow(user, entity, "edit_role_permissions") && !!permissions) return res.status(403).json({ok: false})
+
+	if (!!label) await db.collection<Entity>("roles").updateOne({ id }, { $set: {label} });
+	if (!!permissions) await db.collection<Entity>("roles").updateOne({ id }, { $set: {permissions} });
+
+	return res.status(200).json({ok: true});
+}
--- a/src/pages/api/roles/[id]/users.ts
+++ b/src/pages/api/roles/[id]/users.ts
@@ -0,0 +1,40 @@
+// Next.js API route support: https://nextjs.org/docs/api-routes/introduction
+import type {NextApiRequest, NextApiResponse} from "next";
+import {withIronSessionApiRoute} from "iron-session/next";
+import {sessionOptions} from "@/lib/session";
+import {getEntityWithRoles} from "@/utils/entities.be";
+import client from "@/lib/mongodb";
+import {Entity} from "@/interfaces/entity";
+import { assignRoleToUsers, deleteRole, getRole, transferRole } from "@/utils/roles.be";
+import { doesEntityAllow } from "@/utils/permissions";
+import { findBy } from "@/utils";
+import { getUser } from "@/utils/users.be";
+
+const db = client.db(process.env.MONGODB_DB);
+
+export default withIronSessionApiRoute(handler, sessionOptions);
+
+async function handler(req: NextApiRequest, res: NextApiResponse) {
+	if (req.method === "POST") return await post(req, res);
+}
+
+async function post(req: NextApiRequest, res: NextApiResponse) {
+	if (!req.session.user) return res.status(401).json({ ok: false })
+
+	const user = await getUser(req.session.user.id);
+	if (!user) return res.status(401).json({ ok: false })
+
+	const { id } = req.query as { id: string };
+	const {users} = req.body as {users: string[]}
+
+	const role = await getRole(id)
+	if (!role) return res.status(404).json({ok: false})
+
+	const entity = await getEntityWithRoles(role.entityID)
+	if (!entity) return res.status(404).json({ok: false})
+
+	if (!doesEntityAllow(user, entity, "assign_to_role")) return res.status(403).json({ok: false})
+
+	const result = await assignRoleToUsers(users, entity.id, role.id)
+	return res.status(200).json({ok: result.acknowledged});
+}
--- a/src/pages/api/roles/index.ts
+++ b/src/pages/api/roles/index.ts
@@ -0,0 +1,50 @@
+// Next.js API route support: https://nextjs.org/docs/api-routes/introduction
+import type {NextApiRequest, NextApiResponse} from "next";
+import {withIronSessionApiRoute} from "iron-session/next";
+import {sessionOptions} from "@/lib/session";
+import {getEntities, getEntitiesWithRoles, getEntity, getEntityWithRoles} from "@/utils/entities.be";
+import {Entity} from "@/interfaces/entity";
+import {v4} from "uuid";
+import { createRole, getRoles, getRolesByEntity } from "@/utils/roles.be";
+import { mapBy } from "@/utils";
+import { RolePermission } from "@/resources/entityPermissions";
+import { doesEntityAllow } from "@/utils/permissions";
+import { User } from "@/interfaces/user";
+import { requestUser } from "@/utils/api";
+
+export default withIronSessionApiRoute(handler, sessionOptions);
+
+async function handler(req: NextApiRequest, res: NextApiResponse) {
+	if (req.method === "GET") return await get(req, res);
+	if (req.method === "POST") return await post(req, res);
+}
+
+async function get(req: NextApiRequest, res: NextApiResponse) {
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });
+
+	if (["admin", "developer"].includes(user.type)) return res.status(200).json(await getRoles());
+	res.status(200).json(await getRoles(mapBy(user.entities, 'role')));
+}
+
+async function post(req: NextApiRequest, res: NextApiResponse) {
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });
+
+	const {entityID, label, permissions} = req.body as {entityID: string, label: string, permissions: RolePermission[]}
+
+	const entity = await getEntityWithRoles(entityID)
+	if (!entity) return res.status(404).json({ok: false})
+
+	if (!doesEntityAllow(user, entity, "create_entity_role")) return res.status(403).json({ok: false})
+
+	const role = {
+		id: v4(),
+		entityID,
+		label,
+		permissions
+	}
+
+	await createRole(role)
+	return res.status(200).json(role);
+}
--- a/src/pages/api/stats/index.ts
+++ b/src/pages/api/stats/index.ts
@@ -6,6 +6,7 @@ import { sessionOptions } from "@/lib/session";
 import { Stat } from "@/interfaces/user";
 import { Assignment } from "@/interfaces/results";
 import { groupBy } from "lodash";
+import { requestUser } from "@/utils/api";

 const db = client.db(process.env.MONGODB_DB);

@@ -17,20 +18,17 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
 }

 async function get(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ ok: false });
-		return;
-	}
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });
+
 	const snapshot = await db.collection("stats").find<Stat>({}).toArray();

 	res.status(200).json(snapshot);
 }

 async function post(req: NextApiRequest, res: NextApiResponse) {
-	if (!req.session.user) {
-		res.status(401).json({ ok: false });
-		return;
-	}
+	const user = await requestUser(req, res)
+	if (!user) return res.status(401).json({ ok: false });

 	const stats = req.body as Stat[];
 	stats.forEach(async (stat) => await db.collection("stats").updateOne(
@@ -59,7 +57,7 @@ async function post(req: NextApiRequest, res: NextApiResponse) {
 					$set: {
 						results: [
 							...assignmentSnapshot ? assignmentSnapshot.results : [],
-							{ user: req.session.user?.id, type: req.session.user?.focus, stats: assignmentStats },
+							{ user: user.id, type: user.focus, stats: assignmentStats },
 						],
 					}
 				}
--- a/src/pages/api/stats/update.ts
+++ b/src/pages/api/stats/update.ts
@@ -10,21 +10,23 @@ import client from "@/lib/mongodb";
 import {withIronSessionApiRoute} from "iron-session/next";
 import {groupBy} from "lodash";
 import {NextApiRequest, NextApiResponse} from "next";
+import { requestUser } from "@/utils/api";

 const db = client.db(process.env.MONGODB_DB);

 export default withIronSessionApiRoute(update, sessionOptions);

 async function update(req: NextApiRequest, res: NextApiResponse) {
-	if (req.session.user) {
-		const docUser = await db.collection("users").findOne({ id: req.session.user.id });
+	const user = await requestUser(req, res)
+	if (user) {
+		const docUser = await db.collection("users").findOne({ id: user.id });

 		if (!docUser) {
 			res.status(401).json(undefined);
 			return;
 		}

-		const stats = await db.collection("stats").find<Stat>({ user: req.session.user.id }).toArray();
+		const stats = await db.collection("stats").find<Stat>({ user: user.id }).toArray();

 		const groupedStats = groupBySession(stats);
 		const sessionLevels: {[key in Module]: {correct: number; total: number}}[] = Object.keys(groupedStats).map((key) => {
@@ -91,18 +93,18 @@ async function update(req: NextApiRequest, res: NextApiResponse) {


 		const levels = {
-			reading: calculateBandScore(readingLevel.correct, readingLevel.total, "reading", req.session.user.focus),
-			listening: calculateBandScore(listeningLevel.correct, listeningLevel.total, "listening", req.session.user.focus),
-			writing: calculateBandScore(writingLevel.correct, writingLevel.total, "writing", req.session.user.focus),
-			speaking: calculateBandScore(speakingLevel.correct, speakingLevel.total, "speaking", req.session.user.focus),
-			level: calculateBandScore(levelLevel.correct, levelLevel.total, "level", req.session.user.focus),
+			reading: calculateBandScore(readingLevel.correct, readingLevel.total, "reading", user.focus),
+			listening: calculateBandScore(listeningLevel.correct, listeningLevel.total, "listening", user.focus),
+			writing: calculateBandScore(writingLevel.correct, writingLevel.total, "writing", user.focus),
+			speaking: calculateBandScore(speakingLevel.correct, speakingLevel.total, "speaking", user.focus),
+			level: calculateBandScore(levelLevel.correct, levelLevel.total, "level", user.focus),
 		};

 		await db.collection("users").updateOne(
-			{ id: req.session.user.id},
+			{ id: user.id},
 			{ $set: {levels} }
 		);
-		  
+
 		res.status(200).json({ok: true});
 	} else {
 		res.status(401).json(undefined);
--- a/src/pages/api/user.ts
+++ b/src/pages/api/user.ts
@@ -9,6 +9,7 @@ import {getPermissions, getPermissionDocs} from "@/utils/permissions.be";
 import client from "@/lib/mongodb";
 import {getGroupsForUser, getParticipantGroups, removeParticipantFromGroup} from "@/utils/groups.be";
 import { mapBy } from "@/utils";
+import { getUser } from "@/utils/users.be";

 const auth = getAuth(adminApp);
 const db = client.db(process.env.MONGODB_DB);
@@ -59,11 +60,8 @@ async function del(req: NextApiRequest, res: NextApiResponse) {

 async function get(req: NextApiRequest, res: NextApiResponse) {
 	if (req.session.user) {
-		const user = await db.collection("users").findOne<User>({id: req.session.user.id});
-		if (!user) {
-			res.status(401).json(undefined);
-			return;
-		}
+		const user = await getUser(req.session.user.id)
+		if (!user) return res.status(401).json(undefined);

 		await db.collection("users").updateOne({id: user.id}, {$set: {lastLogin: new Date().toISOString()}});

--- a/src/pages/assignments/[id].tsx
+++ b/src/pages/assignments/[id].tsx
@@ -21,7 +21,7 @@ import {toast} from "react-toastify";
 import {futureAssignmentFilter} from "@/utils/assignments";
 import {withIronSessionSsr} from "iron-session/next";
 import {checkAccess} from "@/utils/permissions";
-import {mapBy, serialize} from "@/utils";
+import {mapBy, redirect, serialize} from "@/utils";
 import {getAssignment} from "@/utils/assignments.be";
 import {getEntitiesUsers, getUsers} from "@/utils/users.be";
 import {getEntitiesWithRoles} from "@/utils/entities.be";
@@ -32,26 +32,14 @@ import Head from "next/head";
 import Layout from "@/components/High/Layout";
 import Separator from "@/components/Low/Separator";
 import Link from "next/link";
+import { requestUser } from "@/utils/api";

 export const getServerSideProps = withIronSessionSsr(async ({req, res, params}) => {
-	const user = req.session.user as User | undefined;
-
-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

 	if (!checkAccess(user, ["admin", "developer", "corporate", "teacher", "mastercorporate"]))
-		return {
-			redirect: {
-				destination: "/dashboard",
-				permanent: false,
-			},
-		};
+		return redirect("/assignments")

 	res.setHeader("Cache-Control", "public, s-maxage=10, stale-while-revalidate=59");

--- a/src/pages/assignments/creator/[id].tsx
+++ b/src/pages/assignments/creator/[id].tsx
@@ -14,7 +14,8 @@ import {InstructorGender, Variant} from "@/interfaces/exam";
 import {Assignment} from "@/interfaces/results";
 import {Group, User} from "@/interfaces/user";
 import {sessionOptions} from "@/lib/session";
-import {mapBy, serialize} from "@/utils";
+import {mapBy, redirect, serialize} from "@/utils";
+import { requestUser } from "@/utils/api";
 import {getAssignment} from "@/utils/assignments.be";
 import {getEntitiesWithRoles} from "@/utils/entities.be";
 import {getGroups, getGroupsByEntities} from "@/utils/groups.be";
@@ -36,7 +37,8 @@ import {BsBook, BsCheckCircle, BsChevronLeft, BsClipboard, BsHeadphones, BsMegap
 import {toast} from "react-toastify";

 export const getServerSideProps = withIronSessionSsr(async ({req, res, params}) => {
-	const user = req.session.user as User | undefined;
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

 	if (!user) {
 		return {
--- a/src/pages/assignments/creator/index.tsx
+++ b/src/pages/assignments/creator/index.tsx
@@ -14,7 +14,8 @@ import {InstructorGender, Variant} from "@/interfaces/exam";
 import {Assignment} from "@/interfaces/results";
 import {Group, User} from "@/interfaces/user";
 import {sessionOptions} from "@/lib/session";
-import {mapBy, serialize} from "@/utils";
+import {mapBy, redirect, serialize} from "@/utils";
+import { requestUser } from "@/utils/api";
 import {getEntitiesWithRoles} from "@/utils/entities.be";
 import {getGroups, getGroupsByEntities} from "@/utils/groups.be";
 import {checkAccess} from "@/utils/permissions";
@@ -35,24 +36,11 @@ import {BsBook, BsCheckCircle, BsChevronLeft, BsClipboard, BsHeadphones, BsMegap
 import {toast} from "react-toastify";

 export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
-	const user = req.session.user as User | undefined;
-
-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

 	if (!checkAccess(user, ["admin", "developer", "corporate", "teacher", "mastercorporate"]))
-		return {
-			redirect: {
-				destination: "/dashboard",
-				permanent: false,
-			},
-		};
+		return redirect("/")

 	const entityIDS = mapBy(user.entities, "id") || [];

--- a/src/pages/assignments/index.tsx
+++ b/src/pages/assignments/index.tsx
@@ -8,7 +8,8 @@ import {Assignment} from "@/interfaces/results";
 import {CorporateUser, Group, User} from "@/interfaces/user";
 import {sessionOptions} from "@/lib/session";
 import {getUserCompanyName} from "@/resources/user";
-import {mapBy, serialize} from "@/utils";
+import {mapBy, redirect, serialize} from "@/utils";
+import { requestUser } from "@/utils/api";
 import {
 	activeAssignmentFilter,
 	archivedAssignmentFilter,
@@ -30,24 +31,11 @@ import {useMemo, useState} from "react";
 import {BsChevronLeft, BsPlus} from "react-icons/bs";

 export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
-	const user = req.session.user as User | undefined;
-
-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

 	if (!checkAccess(user, ["admin", "developer", "corporate", "teacher", "mastercorporate"]))
-		return {
-			redirect: {
-				destination: "/dashboard",
-				permanent: false,
-			},
-		};
+		return redirect("/")

 	const entityIDS = mapBy(user.entities, "id") || [];

--- a/src/pages/classrooms/[id].tsx
+++ b/src/pages/classrooms/[id].tsx
@@ -6,6 +6,8 @@ import usePagination from "@/hooks/usePagination";
 import {GroupWithUsers, User} from "@/interfaces/user";
 import {sessionOptions} from "@/lib/session";
 import {USER_TYPE_LABELS} from "@/resources/user";
+import { redirect } from "@/utils";
+import { requestUser } from "@/utils/api";
 import {convertToUsers, getGroup} from "@/utils/groups.be";
 import {shouldRedirectHome} from "@/utils/navigation.disabled";
 import {checkAccess, getTypesOfUser} from "@/utils/permissions";
@@ -23,26 +25,11 @@ import {useEffect, useMemo, useState} from "react";
 import {BsChevronLeft, BsClockFill, BsEnvelopeFill, BsFillPersonVcardFill, BsPlus, BsStopwatchFill, BsTag, BsTrash, BsX} from "react-icons/bs";
 import {toast, ToastContainer} from "react-toastify";

-export const getServerSideProps = withIronSessionSsr(async ({req, params}) => {
-	const user = req.session.user as User;
+export const getServerSideProps = withIronSessionSsr(async ({req, res, params}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	const {id} = params as {id: string};

--- a/src/pages/classrooms/create.tsx
+++ b/src/pages/classrooms/create.tsx
@@ -9,7 +9,7 @@ import {Entity} from "@/interfaces/entity";
 import {User} from "@/interfaces/user";
 import {sessionOptions} from "@/lib/session";
 import {USER_TYPE_LABELS} from "@/resources/user";
-import {mapBy, serialize} from "@/utils";
+import {mapBy, redirect, serialize} from "@/utils";
 import {getEntities} from "@/utils/entities.be";
 import {shouldRedirectHome} from "@/utils/navigation.disabled";
 import {getUserName} from "@/utils/users";
@@ -25,27 +25,13 @@ import {Divider} from "primereact/divider";
 import {useState} from "react";
 import {BsCheck, BsChevronLeft, BsClockFill, BsEnvelopeFill, BsStopwatchFill} from "react-icons/bs";
 import {toast, ToastContainer} from "react-toastify";
+import { requestUser } from "@/utils/api";

-export const getServerSideProps = withIronSessionSsr(async ({req}) => {
-	const user = req.session.user as User;
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	const linkedUsers = await getLinkedUsers(user.id, user.type);
 	const entities = await getEntities(mapBy(user.entities, "id"));
--- a/src/pages/classrooms/index.tsx
+++ b/src/pages/classrooms/index.tsx
@@ -14,28 +14,14 @@ import {uniq} from "lodash";
 import {BsPlus} from "react-icons/bs";
 import CardList from "@/components/High/CardList";
 import Separator from "@/components/Low/Separator";
-import {mapBy} from "@/utils";
+import {mapBy, redirect} from "@/utils";
+import { requestUser } from "@/utils/api";

-export const getServerSideProps = withIronSessionSsr(async ({req}) => {
-	const user = req.session.user;
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	const entityIDS = mapBy(user.entities, "id");
 	const groups = await getGroupsForEntities(entityIDS);
--- a/src/pages/dashboard/admin.tsx
+++ b/src/pages/dashboard/admin.tsx
@@ -7,7 +7,8 @@ import { EntityWithRoles } from "@/interfaces/entity";
 import { Assignment } from "@/interfaces/results";
 import { Group, Stat, User } from "@/interfaces/user";
 import { sessionOptions } from "@/lib/session";
-import { dateSorter, filterBy, mapBy, serialize } from "@/utils";
+import { dateSorter, filterBy, mapBy, redirect, serialize } from "@/utils";
+import { requestUser } from "@/utils/api";
 import { getAssignments, getEntitiesAssignments } from "@/utils/assignments.be";
 import { getEntitiesWithRoles } from "@/utils/entities.be";
 import { getGroups, getGroupsByEntities } from "@/utils/groups.be";
@@ -47,24 +48,10 @@ interface Props {
 }

 export const getServerSideProps = withIronSessionSsr(async ({ req, res }) => {
-  const user = req.session.user as User | undefined;
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-  if (!user) {
-    return {
-      redirect: {
-        destination: "/login",
-        permanent: false,
-      },
-    };
-  }
-
-  if (!checkAccess(user, ["admin", "developer"]))
-    return {
-      redirect: {
-        destination: "/dashboard",
-        permanent: false,
-      },
-    };
+  if (!checkAccess(user, ["admin", "developer"])) return redirect("/")

  const users = await getUsers();
  const entities = await getEntitiesWithRoles();
--- a/src/pages/dashboard/corporate.tsx
+++ b/src/pages/dashboard/corporate.tsx
@@ -7,7 +7,8 @@ import { EntityWithRoles } from "@/interfaces/entity";
 import { Assignment } from "@/interfaces/results";
 import { Group, Stat, User } from "@/interfaces/user";
 import { sessionOptions } from "@/lib/session";
-import { dateSorter, filterBy, mapBy, serialize } from "@/utils";
+import { dateSorter, filterBy, mapBy, redirect, serialize } from "@/utils";
+import { requestUser } from "@/utils/api";
 import { getEntitiesAssignments } from "@/utils/assignments.be";
 import { getEntitiesWithRoles } from "@/utils/entities.be";
 import { getGroupsByEntities } from "@/utils/groups.be";
@@ -45,24 +46,10 @@ interface Props {
 }

 export const getServerSideProps = withIronSessionSsr(async ({ req, res }) => {
-  const user = req.session.user as User | undefined;
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-  if (!user) {
-    return {
-      redirect: {
-        destination: "/login",
-        permanent: false,
-      },
-    };
-  }
-
-  if (!checkAccess(user, ["admin", "developer", "corporate"]))
-    return {
-      redirect: {
-        destination: "/dashboard",
-        permanent: false,
-      },
-    };
+  if (!checkAccess(user, ["admin", "developer", "corporate"])) return redirect("/")

  const entityIDS = mapBy(user.entities, "id") || [];

--- a/src/pages/dashboard/developer.tsx
+++ b/src/pages/dashboard/developer.tsx
@@ -7,7 +7,8 @@ import { EntityWithRoles } from "@/interfaces/entity";
 import { Assignment } from "@/interfaces/results";
 import { Group, Stat, User } from "@/interfaces/user";
 import { sessionOptions } from "@/lib/session";
-import { dateSorter, filterBy, mapBy, serialize } from "@/utils";
+import { dateSorter, filterBy, mapBy, redirect, serialize } from "@/utils";
+import { requestUser } from "@/utils/api";
 import { getAssignments, getEntitiesAssignments } from "@/utils/assignments.be";
 import { getEntitiesWithRoles } from "@/utils/entities.be";
 import { getGroups, getGroupsByEntities } from "@/utils/groups.be";
@@ -47,24 +48,10 @@ interface Props {
 }

 export const getServerSideProps = withIronSessionSsr(async ({ req, res }) => {
-  const user = req.session.user as User | undefined;
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-  if (!user) {
-    return {
-      redirect: {
-        destination: "/login",
-        permanent: false,
-      },
-    };
-  }
-
-  if (!checkAccess(user, ["admin", "developer"]))
-    return {
-      redirect: {
-        destination: "/dashboard",
-        permanent: false,
-      },
-    };
+  if (!checkAccess(user, ["admin", "developer"])) return redirect("/")

  const users = await getUsers();
  const entities = await getEntitiesWithRoles();
--- a/src/pages/dashboard/index.tsx
+++ b/src/pages/dashboard/index.tsx
@@ -1,25 +1,14 @@
 import {User} from "@/interfaces/user";
 import {sessionOptions} from "@/lib/session";
+import { requestUser } from "@/utils/api";
 import {withIronSessionSsr} from "iron-session/next";
+import { redirect } from "next/navigation";

 export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
-	const user = req.session.user as User | undefined;
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	return {
-		redirect: {
-			destination: `/dashboard/${user.type}`,
-			permanent: false,
-		},
-	};
+	return redirect(`/dashboard/${user.type}`)
 }, sessionOptions);

 export default function Dashboard() {
--- a/src/pages/dashboard/mastercorporate.tsx
+++ b/src/pages/dashboard/mastercorporate.tsx
@@ -7,7 +7,8 @@ import { EntityWithRoles } from "@/interfaces/entity";
 import { Assignment } from "@/interfaces/results";
 import { Group, Stat, User } from "@/interfaces/user";
 import { sessionOptions } from "@/lib/session";
-import { dateSorter, filterBy, mapBy, serialize } from "@/utils";
+import { dateSorter, filterBy, mapBy, redirect, serialize } from "@/utils";
+import { requestUser } from "@/utils/api";
 import { getEntitiesAssignments } from "@/utils/assignments.be";
 import { getEntitiesWithRoles } from "@/utils/entities.be";
 import { getGroupsByEntities } from "@/utils/groups.be";
@@ -47,24 +48,11 @@ interface Props {
 }

 export const getServerSideProps = withIronSessionSsr(async ({ req, res }) => {
-  const user = req.session.user as User | undefined;
-
-  if (!user) {
-    return {
-      redirect: {
-        destination: "/login",
-        permanent: false,
-      },
-    };
-  }
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

  if (!checkAccess(user, ["admin", "developer", "mastercorporate"]))
-    return {
-      redirect: {
-        destination: "/dashboard",
-        permanent: false,
-      },
-    };
+    return redirect("/")

  const entityIDS = mapBy(user.entities, "id") || [];

--- a/src/pages/dashboard/student.tsx
+++ b/src/pages/dashboard/student.tsx
@@ -14,7 +14,8 @@ import {Assignment} from "@/interfaces/results";
 import {Stat, User} from "@/interfaces/user";
 import {sessionOptions} from "@/lib/session";
 import useExamStore from "@/stores/examStore";
-import {mapBy, serialize} from "@/utils";
+import {mapBy, redirect, serialize} from "@/utils";
+import { requestUser } from "@/utils/api";
 import {activeAssignmentFilter} from "@/utils/assignments";
 import {getAssignmentsByAssignee} from "@/utils/assignments.be";
 import {getEntitiesWithRoles, getEntityWithRoles} from "@/utils/entities.be";
@@ -48,24 +49,11 @@ interface Props {
 }

 export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
-	const user = req.session.user as User | undefined;
-
-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

 	if (!checkAccess(user, ["admin", "developer", "student"]))
-		return {
-			redirect: {
-				destination: "/dashboard",
-				permanent: false,
-			},
-		};
+		return redirect("/")

 	const entityIDS = mapBy(user.entities, "id") || [];

--- a/src/pages/dashboard/teacher.tsx
+++ b/src/pages/dashboard/teacher.tsx
@@ -7,7 +7,7 @@ import { EntityWithRoles } from "@/interfaces/entity";
 import { Assignment } from "@/interfaces/results";
 import { Group, Stat, User } from "@/interfaces/user";
 import { sessionOptions } from "@/lib/session";
-import { dateSorter, filterBy, mapBy, serialize } from "@/utils";
+import { dateSorter, filterBy, mapBy, redirect, serialize } from "@/utils";
 import { getEntitiesAssignments } from "@/utils/assignments.be";
 import { getEntitiesWithRoles } from "@/utils/entities.be";
 import { getGroupsByEntities } from "@/utils/groups.be";
@@ -23,6 +23,7 @@ import { useRouter } from "next/router";
 import { useMemo } from "react";
 import { BsClipboard2Data, BsEnvelopePaper, BsPaperclip, BsPeople, BsPersonFill } from "react-icons/bs";
 import { ToastContainer } from "react-toastify";
+import { requestUser } from "@/utils/api";

 interface Props {
  user: User;
@@ -34,24 +35,11 @@ interface Props {
 }

 export const getServerSideProps = withIronSessionSsr(async ({ req, res }) => {
-  const user = req.session.user as User | undefined;
-
-  if (!user) {
-    return {
-      redirect: {
-        destination: "/login",
-        permanent: false,
-      },
-    };
-  }
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

  if (!checkAccess(user, ["admin", "developer", "teacher"]))
-    return {
-      redirect: {
-        destination: "/dashboard",
-        permanent: false,
-      },
-    };
+    return redirect("/")

  const entityIDS = mapBy(user.entities, "id") || [];

--- a/src/pages/entities/[id]/index.tsx
+++ b/src/pages/entities/[id]/index.tsx
@@ -1,19 +1,23 @@
 /* eslint-disable @next/next/no-img-element */
 import CardList from "@/components/High/CardList";
 import Layout from "@/components/High/Layout";
+import Select from "@/components/Low/Select";
 import Tooltip from "@/components/Low/Tooltip";
+import { useEntityPermission } from "@/hooks/useEntityPermissions";
 import {useListSearch} from "@/hooks/useListSearch";
 import usePagination from "@/hooks/usePagination";
 import {Entity, EntityWithRoles, Role} from "@/interfaces/entity";
 import {GroupWithUsers, User} from "@/interfaces/user";
 import {sessionOptions} from "@/lib/session";
 import {USER_TYPE_LABELS} from "@/resources/user";
+import { findBy, redirect, serialize } from "@/utils";
 import {getEntityWithRoles} from "@/utils/entities.be";
 import {convertToUsers, getGroup} from "@/utils/groups.be";
 import {shouldRedirectHome} from "@/utils/navigation.disabled";
-import {checkAccess, getTypesOfUser} from "@/utils/permissions";
+import {checkAccess, doesEntityAllow, getTypesOfUser} from "@/utils/permissions";
 import {getUserName} from "@/utils/users";
 import {getEntityUsers, getLinkedUsers, getSpecificUsers} from "@/utils/users.be";
+import { Menu, MenuButton, MenuItem, MenuItems } from "@headlessui/react";
 import axios from "axios";
 import clsx from "clsx";
 import {withIronSessionSsr} from "iron-session/next";
@@ -28,6 +32,7 @@ import {
 	BsClockFill,
 	BsEnvelopeFill,
 	BsFillPersonVcardFill,
+	BsPerson,
 	BsPlus,
 	BsSquare,
 	BsStopwatchFill,
@@ -40,54 +45,31 @@ import {toast, ToastContainer} from "react-toastify";
 export const getServerSideProps = withIronSessionSsr(async ({req, params}) => {
 	const user = req.session.user as User;

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (!user) return redirect("/login")
+	if (shouldRedirectHome(user)) return redirect("/")

 	const {id} = params as {id: string};

-	const entityWithRoles = await getEntityWithRoles(id);
-	if (!entityWithRoles || (checkAccess(user, getTypesOfUser(["admin", "developer"])) && !user.entities.map((x) => x.id).includes(id))) {
-		return {
-			redirect: {
-				destination: "/entities",
-				permanent: false,
-			},
-		};
-	}
+	const entity = await getEntityWithRoles(id);
+	if (!entity) return redirect("/entities")

-	const {entity, roles} = entityWithRoles;
+	if (!doesEntityAllow(user, entity, "view_entities")) return redirect(`/entities`)

 	const linkedUsers = await getLinkedUsers(user.id, user.type);
 	const entityUsers = await getEntityUsers(id);

 	const usersWithRole = entityUsers.map((u) => {
 		const e = u.entities.find((e) => e.id === id);
-		return {...u, role: roles.find((r) => r.id === e?.role)};
+		return {...u, role: findBy(entity.roles, 'id', e?.role)};
 	});

 	return {
-		props: {
+		props: serialize({
 			user,
-			entity: JSON.parse(JSON.stringify(entity)),
-			roles: JSON.parse(JSON.stringify(roles)),
-			users: JSON.parse(JSON.stringify(usersWithRole)),
-			linkedUsers: JSON.parse(JSON.stringify(linkedUsers.users)),
-		},
+			entity,
+			users: usersWithRole,
+			linkedUsers: linkedUsers.users,
+		}),
 	};
 }, sessionOptions);

@@ -95,26 +77,32 @@ type UserWithRole = User & {role?: Role};

 interface Props {
 	user: User;
-	entity: Entity;
-	roles: Role[];
+	entity: EntityWithRoles;
 	users: UserWithRole[];
 	linkedUsers: User[];
 }

-export default function Home({user, entity, roles, users, linkedUsers}: Props) {
+export default function Home({user, entity, users, linkedUsers}: Props) {
 	const [isAdding, setIsAdding] = useState(false);
 	const [isLoading, setIsLoading] = useState(false);
 	const [selectedUsers, setSelectedUsers] = useState<string[]>([]);

 	const router = useRouter();

-	const allowEntityEdit = useMemo(() => checkAccess(user, ["admin", "developer"]), [user]);
+	const canRenameEntity = useEntityPermission(user, entity, "rename_entity")
+	const canViewRoles = useEntityPermission(user, entity, "view_entity_roles")
+	const canDeleteEntity = useEntityPermission(user, entity, "delete_entity")
+
+	const canAddMembers = useEntityPermission(user, entity, "add_to_entity")
+	const canRemoveMembers = useEntityPermission(user, entity, "remove_from_entity")
+
+	const canAssignRole = useEntityPermission(user, entity, "assign_to_role")

 	const toggleUser = (u: User) => setSelectedUsers((prev) => (prev.includes(u.id) ? prev.filter((p) => p !== u.id) : [...prev, u.id]));

 	const removeParticipants = () => {
 		if (selectedUsers.length === 0) return;
-		if (!allowEntityEdit) return;
+		if (!canRemoveMembers) return;
 		if (!confirm(`Are you sure you want to remove ${selectedUsers.length} member${selectedUsers.length === 1 ? "" : "s"} from this entity?`))
 			return;

@@ -136,13 +124,14 @@ export default function Home({user, entity, roles, users, linkedUsers}: Props) {

 	const addParticipants = () => {
 		if (selectedUsers.length === 0) return;
-		if (!allowEntityEdit || !isAdding) return;
+		if (!canAddMembers || !isAdding) return;
 		if (!confirm(`Are you sure you want to add ${selectedUsers.length} member${selectedUsers.length === 1 ? "" : "s"} to this entity?`)) return;

 		setIsLoading(true);
+		const defaultRole = findBy(entity.roles, 'isDefault', true)!

 		axios
-			.patch(`/api/entities/${entity.id}/users`, {add: true, members: selectedUsers, role: "90ce8f08-08c8-41e4-9848-f1500ddc3930"})
+			.patch(`/api/entities/${entity.id}/users`, {add: true, members: selectedUsers, role: defaultRole.id})
 			.then(() => {
 				toast.success("The entity has been updated successfully!");
 				router.replace(router.asPath);
@@ -156,14 +145,14 @@ export default function Home({user, entity, roles, users, linkedUsers}: Props) {
 	};

 	const renameGroup = () => {
-		if (!allowEntityEdit) return;
+		if (!canRenameEntity) return;

-		const name = prompt("Rename this entity:", entity.label);
-		if (!name) return;
+		const label = prompt("Rename this entity:", entity.label);
+		if (!label) return;

 		setIsLoading(true);
 		axios
-			.patch(`/api/entities/${entity.id}`, {name})
+			.patch(`/api/entities/${entity.id}`, {label})
 			.then(() => {
 				toast.success("The entity has been updated successfully!");
 				router.replace(router.asPath);
@@ -176,7 +165,7 @@ export default function Home({user, entity, roles, users, linkedUsers}: Props) {
 	};

 	const deleteGroup = () => {
-		if (!allowEntityEdit) return;
+		if (!canDeleteEntity) return;
 		if (!confirm("Are you sure you want to delete this entity?")) return;

 		setIsLoading(true);
@@ -194,11 +183,29 @@ export default function Home({user, entity, roles, users, linkedUsers}: Props) {
 			.finally(() => setIsLoading(false));
 	};

+	const assignUsersToRole = (role: string) => {
+		if (!canAssignRole) return
+		if (selectedUsers.length === 0) return
+
+		setIsLoading(true);
+		axios
+			.post(`/api/roles/${role}/users`, {users: selectedUsers})
+			.then(() => {
+				toast.success("The role has been assigned successfully!");
+				router.replace(router.asPath);
+			})
+			.catch((e) => {
+				console.error(e);
+				toast.error("Something went wrong!");
+			})
+			.finally(() => setIsLoading(false));
+	}
+
 	const renderCard = (u: UserWithRole) => {
 		return (
 			<button
 				onClick={() => toggleUser(u)}
-				disabled={!allowEntityEdit}
+				disabled={isAdding ? !canAddMembers : !canRemoveMembers}
 				key={u.id}
 				className={clsx(
 					"p-4 pr-6 h-48 relative border rounded-xl flex flex-col gap-3 justify-between text-left cursor-pointer",
@@ -255,89 +262,111 @@ export default function Home({user, entity, roles, users, linkedUsers}: Props) {
 				<meta name="viewport" content="width=device-width, initial-scale=1" />
 				<link rel="icon" href="/favicon.ico" />
 			</Head>
-			<ToastContainer />
-			{user && (
-				<Layout user={user}>
-					<section className="flex flex-col gap-0">
-						<div className="flex flex-col gap-3">
-							<div className="flex items-end justify-between">
-								<div className="flex items-center gap-2">
-									<Link
-										href="/entities"
-										className="text-mti-purple hover:text-mti-purple-dark transition ease-in-out duration-300 text-xl">
-										<BsChevronLeft />
-									</Link>
-									<h2 className="font-bold text-2xl">{entity.label}</h2>
-								</div>
-							</div>
-							{allowEntityEdit && !isAdding && (
-								<div className="flex items-center gap-2">
-									<button
-										onClick={renameGroup}
-										disabled={isLoading}
-										className="flex items-center gap-1 px-2 py-2 border rounded-full hover:bg-neutral-100 disabled:hover:bg-transparent disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
-										<BsTag />
-										<span className="text-xs">Rename Entity</span>
-									</button>
-									<button
-										onClick={deleteGroup}
-										disabled={isLoading}
-										className="flex items-center gap-1 px-2 py-2 border border-mti-rose rounded-full bg-mti-rose-light text-white hover:bg-mti-rose-dark disabled:hover:bg-mti-rose-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
-										<BsTrash />
-										<span className="text-xs">Delete Entity</span>
-									</button>
-								</div>
-							)}
-						</div>
-						<Divider />
-						<div className="flex items-center justify-between mb-4">
-							<span className="font-semibold text-xl">Members ({users.length})</span>
-							{allowEntityEdit && !isAdding && (
-								<div className="flex items-center gap-2">
-									<button
-										onClick={() => setIsAdding(true)}
-										disabled={isLoading}
-										className="flex items-center gap-1 px-2 py-2 border rounded-full hover:bg-neutral-100 disabled:hover:bg-transparent disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
-										<BsPlus />
-										<span className="text-xs">Add Members</span>
-									</button>
-									<button
-										onClick={removeParticipants}
-										disabled={selectedUsers.length === 0 || isLoading}
-										className="flex items-center gap-1 px-2 py-2 border border-mti-rose rounded-full bg-mti-rose-light text-white hover:bg-mti-rose-dark disabled:hover:bg-mti-rose-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
-										<BsTrash />
-										<span className="text-xs">Remove Members</span>
-									</button>
-								</div>
-							)}
-							{allowEntityEdit && isAdding && (
-								<div className="flex items-center gap-2">
-									<button
-										onClick={() => setIsAdding(false)}
-										disabled={isLoading}
-										className="flex items-center gap-1 px-2 py-2 border rounded-full border-mti-rose bg-mti-rose-light text-white hover:bg-mti-rose-dark disabled:hover:bg-mti-rose-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
-										<BsX />
-										<span className="text-xs">Discard Selection</span>
-									</button>
-									<button
-										onClick={addParticipants}
-										disabled={selectedUsers.length === 0 || isLoading}
-										className="flex items-center gap-1 px-2 py-2 border rounded-full border-mti-green bg-mti-green-light text-white hover:bg-mti-green-dark disabled:hover:bg-mti-green-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
-										<BsPlus />
-										<span className="text-xs">Add Members ({selectedUsers.length})</span>
-									</button>
-								</div>
-							)}
-						</div>

-						<CardList<User | UserWithRole>
-							list={isAdding ? linkedUsers : users}
-							renderCard={renderCard}
-							searchFields={[["name"], ["corporateInformation", "companyInformation", "name"], ["role", "label"], ["type"]]}
-						/>
-					</section>
-				</Layout>
-			)}
+			<Layout user={user}>
+				<section className="flex flex-col gap-0">
+					<div className="flex flex-col gap-3">
+						<div className="flex items-end justify-between">
+							<div className="flex items-center gap-2">
+								<Link
+									href="/entities"
+									className="text-mti-purple hover:text-mti-purple-dark transition ease-in-out duration-300 text-xl">
+									<BsChevronLeft />
+								</Link>
+								<h2 className="font-bold text-2xl">{entity.label}</h2>
+							</div>
+						</div>
+						<div className="flex items-center gap-2">
+							<button
+								onClick={renameGroup}
+								disabled={isLoading || !canRenameEntity}
+								className="flex items-center gap-1 px-2 py-2 border rounded-full hover:bg-neutral-100 disabled:hover:bg-transparent disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+								<BsTag />
+								<span className="text-xs">Rename Entity</span>
+							</button>
+							<button
+								onClick={() => router.push(`/entities/${entity.id}/roles`)}
+								disabled={isLoading || !canViewRoles}
+								className="flex items-center gap-1 px-2 py-2 border rounded-full hover:bg-neutral-100 disabled:hover:bg-transparent disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+								<BsPerson />
+								<span className="text-xs">Edit Roles</span>
+							</button>
+							<button
+								onClick={deleteGroup}
+								disabled={isLoading || !canDeleteEntity}
+								className="flex items-center gap-1 px-2 py-2 border border-mti-rose rounded-full bg-mti-rose-light text-white hover:bg-mti-rose-dark disabled:hover:bg-mti-rose-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+								<BsTrash />
+								<span className="text-xs">Delete Entity</span>
+							</button>
+						</div>
+					</div>
+					<Divider />
+					<div className="flex items-center justify-between mb-4">
+						<span className="font-semibold text-xl">Members ({users.length})</span>
+						{!isAdding && (
+							<div className="flex items-center gap-2">
+								<button
+									onClick={() => setIsAdding(true)}
+									disabled={isLoading || !canAddMembers}
+									className="flex items-center gap-1 px-2 py-2 border rounded-full hover:bg-neutral-100 disabled:hover:bg-transparent disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+									<BsPlus />
+									<span className="text-xs">Add Members</span>
+								</button>
+
+								<Menu>
+									<MenuButton
+										disabled={isLoading || !canAssignRole || selectedUsers.length === 0}
+										className="flex items-center gap-1 px-2 py-2 border rounded-full hover:bg-neutral-100 disabled:hover:bg-transparent disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+										<BsPerson />
+										<span className="text-xs">Assign Role</span>
+									</MenuButton>
+									<MenuItems anchor="bottom" className="bg-white rounded-xl shadow drop-shadow border mt-1 flex flex-col">
+										{entity.roles.map((role) => (
+											<MenuItem key={role.id}>
+												<button onClick={() => assignUsersToRole(role.id)} className="p-4 hover:bg-neutral-100 w-32">
+													{ role.label }
+												</button>
+											</MenuItem>
+										))}
+									</MenuItems>
+								</Menu>
+
+								<button
+									onClick={removeParticipants}
+									disabled={selectedUsers.length === 0 || isLoading || !canRemoveMembers}
+									className="flex items-center gap-1 px-2 py-2 border border-mti-rose rounded-full bg-mti-rose-light text-white hover:bg-mti-rose-dark disabled:hover:bg-mti-rose-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+									<BsTrash />
+									<span className="text-xs">Remove Members</span>
+								</button>
+							</div>
+						)}
+						{isAdding && (
+							<div className="flex items-center gap-2">
+								<button
+									onClick={() => setIsAdding(false)}
+									disabled={isLoading}
+									className="flex items-center gap-1 px-2 py-2 border rounded-full border-mti-rose bg-mti-rose-light text-white hover:bg-mti-rose-dark disabled:hover:bg-mti-rose-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+									<BsX />
+									<span className="text-xs">Discard Selection</span>
+								</button>
+								<button
+									onClick={addParticipants}
+									disabled={selectedUsers.length === 0 || isLoading || !canAddMembers}
+									className="flex items-center gap-1 px-2 py-2 border rounded-full border-mti-green bg-mti-green-light text-white hover:bg-mti-green-dark disabled:hover:bg-mti-green-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+									<BsPlus />
+									<span className="text-xs">Add Members ({selectedUsers.length})</span>
+								</button>
+							</div>
+						)}
+					</div>
+
+					<CardList<User | UserWithRole>
+						list={isAdding ? linkedUsers : users}
+						renderCard={renderCard}
+						searchFields={[["name"], ["corporateInformation", "companyInformation", "name"], ["role", "label"], ["type"]]}
+					/>
+				</section>
+			</Layout>
 		</>
 	);
 }
--- a/src/pages/entities/[id]/roles/[role].tsx
+++ b/src/pages/entities/[id]/roles/[role].tsx
@@ -0,0 +1,326 @@
+import Layout from "@/components/High/Layout";
+import Checkbox from "@/components/Low/Checkbox";
+import Separator from "@/components/Low/Separator";
+import { useEntityPermission } from "@/hooks/useEntityPermissions";
+import {EntityWithRoles, Role} from "@/interfaces/entity";
+import {User} from "@/interfaces/user";
+import {sessionOptions} from "@/lib/session";
+import { RolePermission } from "@/resources/entityPermissions";
+import { findBy, mapBy, redirect, serialize } from "@/utils";
+import { requestUser } from "@/utils/api";
+import {getEntityWithRoles} from "@/utils/entities.be";
+import {shouldRedirectHome} from "@/utils/navigation.disabled";
+import {doesEntityAllow} from "@/utils/permissions";
+import {countEntityUsers} from "@/utils/users.be";
+import axios from "axios";
+import {withIronSessionSsr} from "iron-session/next";
+import Head from "next/head";
+import Link from "next/link";
+import {useRouter} from "next/router";
+import {Divider} from "primereact/divider";
+import {useState} from "react";
+import {
+	BsCheck,
+	BsChevronLeft,
+	BsTag,
+	BsTrash,
+} from "react-icons/bs";
+import {toast} from "react-toastify";
+
+type PermissionLayout = {label: string, key: RolePermission}
+
+const USER_MANAGEMENT: PermissionLayout[] = [
+	{label: "View Students", key: "view_students"},
+	{label: "View Teachers", key: "view_teachers"},
+	{label: "View Corporate Accounts", key: "view_corporates"},
+	{label: "View Master Corporate Accounts", key: "view_mastercorporates"},
+	{label: "Edit Students", key: "edit_students"},
+	{label: "Edit Teachers", key: "edit_teachers"},
+	{label: "Edit Corporate Accounts", key: "edit_corporates"},
+	{label: "Edit Master Corporate Accounts", key: "edit_mastercorporates"},
+	{label: "Delete Students", key: "delete_students"},
+	{label: "Delete Teachers", key: "delete_teachers"},
+	{label: "Delete Corporate Accounts", key: "delete_corporates"},
+	{label: "Delete Master Corporate Accounts", key: "delete_mastercorporates"},
+]
+
+const EXAM_MANAGEMENT: PermissionLayout[] = [
+	{label: "Generate Reading", key: "generate_reading"},
+	{label: "Delete Reading", key: "delete_reading"},
+	{label: "Generate Listening", key: "generate_listening"},
+	{label: "Delete Listening", key: "delete_listening"},
+	{label: "Generate Writing", key: "generate_writing"},
+	{label: "Delete Writing", key: "delete_writing"},
+	{label: "Generate Speaking", key: "generate_speaking"},
+	{label: "Delete Speaking", key: "delete_speaking"},
+	{label: "Generate Level", key: "generate_level"},
+	{label: "Delete Level", key: "delete_level"},
+]
+
+const CLASSROOM_MANAGEMENT: PermissionLayout[] = [
+	{label: "View Classrooms", key: "view_classrooms"},
+	{label: "Create Classrooms", key: "create_classroom"},
+	{label: "Rename Classrooms", key: "rename_classrooms"},
+	{label: "Add to Classroom", key: "add_to_classroom"},
+	{label: "Remove from Classroom", key: "remove_from_classroom"},
+	{label: "Delete Classroom", key: "delete_classroom"},
+]
+
+const ENTITY_MANAGEMENT: PermissionLayout[] = [
+	{label: "View Entities", key: "view_entities"},
+	{label: "Rename Entity", key: "rename_entity"},
+	{label: "Add to Entity", key: "add_to_entity"},
+	{label: "Remove from Entity", key: "remove_from_entity"},
+	{label: "Delete Entity", key: "delete_entity"},
+	{label: "View Entity Roles", key: "view_entity_roles"},
+	{label: "Create Entity Role", key: "create_entity_role"},
+	{label: "Rename Entity Role", key: "rename_entity_role"},
+	{label: "Edit Role Permissions", key: "edit_role_permissions"},
+	{label: "Assign Role to User", key: "assign_to_role"},
+	{label: "Delete Entity Role", key: "delete_entity_role"},
+]
+
+export const getServerSideProps = withIronSessionSsr(async ({req, res, params}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")
+
+	if (shouldRedirectHome(user)) return redirect("/")
+
+	const {id, role} = params as {id: string, role: string};
+
+	if (!mapBy(user.entities, 'id').includes(id) && !["admin", "developer"].includes(user.type)) return redirect("/entities")
+
+	const entity = await getEntityWithRoles(id);
+	if (!entity) return redirect("/entities")
+
+	const entityRole = findBy(entity.roles, 'id', role)
+	if (!entityRole) return redirect(`/entities/${id}/roles`)
+
+	if (!doesEntityAllow(user, entity, "view_entity_roles")) return redirect(`/entities/${id}`)
+
+	const userCount = await countEntityUsers(id, { "entities.role": role });
+
+	return {
+		props: serialize({
+			user,
+			entity,
+			role: entityRole,
+			userCount,
+		}),
+	};
+}, sessionOptions);
+
+interface Props {
+	user: User;
+	entity: EntityWithRoles;
+	role: Role;
+	userCount: number;
+}
+
+export default function Role({user, entity, role, userCount}: Props) {
+	const [permissions, setPermissions] = useState(role.permissions)
+	const [isLoading, setIsLoading] = useState(false);
+
+	const router = useRouter();
+
+	const canEditPermissions = useEntityPermission(user, entity, "edit_role_permissions")
+	const canRenameRole = useEntityPermission(user, entity, "rename_entity_role")
+	const canDeleteRole = useEntityPermission(user, entity, "delete_entity_role")
+
+	const renameRole = () => {
+		if (!canRenameRole) return;
+
+		const label = prompt("Rename this role:", role.label);
+		if (!label) return;
+
+		setIsLoading(true);
+		axios
+			.patch(`/api/roles/${role.id}`, {label})
+			.then(() => {
+				toast.success("The role has been updated successfully!");
+				router.replace(router.asPath);
+			})
+			.catch((e) => {
+				console.error(e);
+				toast.error("Something went wrong!");
+			})
+			.finally(() => setIsLoading(false));
+	};
+
+	const deleteRole = () => {
+		if (!canDeleteRole || role.isDefault) return;
+		if (!confirm("Are you sure you want to delete this role?")) return;
+
+		setIsLoading(true);
+
+		axios
+			.delete(`/api/roles/${role.id}`)
+			.then(() => {
+				toast.success("This role has been successfully deleted!");
+				router.replace(`/entities/${entity.id}/roles`);
+			})
+			.catch((e) => {
+				console.error(e);
+				toast.error("Something went wrong!");
+			})
+			.finally(() => setIsLoading(false));
+	};
+
+	const editPermissions = () => {
+		if (!canEditPermissions) return
+
+		setIsLoading(true);
+
+		axios
+			.patch(`/api/roles/${role.id}`, {permissions})
+			.then(() => {
+				toast.success("This role has been successfully updated!");
+				router.replace(router.asPath);
+			})
+			.catch((e) => {
+				console.error(e);
+				toast.error("Something went wrong!");
+			})
+			.finally(() => setIsLoading(false));
+	}
+
+	const togglePermissions = (p: string) => setPermissions(prev => prev.includes(p) ? prev.filter(x => x !== p) : [...prev, p])
+
+	return (
+		<>
+			<Head>
+				<title>{ role.label } | {entity.label} | EnCoach</title>
+				<meta
+					name="description"
+					content="A training platform for the IELTS exam provided by the Muscat Training Institute and developed by eCrop."
+				/>
+				<meta name="viewport" content="width=device-width, initial-scale=1" />
+				<link rel="icon" href="/favicon.ico" />
+			</Head>
+			<Layout user={user}>
+				<section className="flex flex-col gap-0">
+					<div className="flex flex-col gap-3">
+						<div className="flex items-end justify-between">
+							<div className="flex items-center gap-2">
+								<Link
+									href={`/entities/${entity.id}/roles`}
+									className="text-mti-purple hover:text-mti-purple-dark transition ease-in-out duration-300 text-xl">
+									<BsChevronLeft />
+								</Link>
+							<h2 className="font-bold text-2xl">{role.label} Role ({ userCount } users)</h2>
+							</div>
+						</div>
+						<div className="flex items-center justify-between w-full">
+							<div className="flex items-center gap-2">
+								<button
+									onClick={renameRole}
+									disabled={isLoading || !canRenameRole}
+									className="flex items-center gap-1 px-2 py-2 border rounded-full hover:bg-neutral-100 disabled:hover:bg-transparent disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+									<BsTag />
+									<span className="text-xs">Rename Role</span>
+								</button>
+								<button
+									onClick={deleteRole}
+									disabled={isLoading || !canDeleteRole || role.isDefault}
+									className="flex items-center gap-1 px-2 py-2 border border-mti-rose rounded-full bg-mti-rose-light text-white hover:bg-mti-rose-dark disabled:hover:bg-mti-rose-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+									<BsTrash />
+									<span className="text-xs">Delete Role</span>
+								</button>
+							</div>
+							<button
+								onClick={editPermissions}
+								disabled={isLoading || !canEditPermissions}
+								className="flex items-center gap-1 px-2 py-2 border rounded-full border-mti-green bg-mti-green-light text-white hover:bg-mti-green-dark disabled:hover:bg-mti-green-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
+								<BsCheck />
+								<span className="text-xs">Save Changes</span>
+							</button>
+						</div>
+					</div>
+					<Divider />
+
+					<section className="grid grid-cols-2 gap-16">
+						<div className="flex flex-col gap-4">
+							<div className="w-full flex items-center justify-between">
+								<b>User Management</b>
+								<Checkbox
+									isChecked={mapBy(USER_MANAGEMENT, 'key').every(k => permissions.includes(k))}
+									onChange={() => mapBy(USER_MANAGEMENT, 'key').forEach(togglePermissions)}
+								>
+									Select all
+								</Checkbox>
+							</div>
+							<Separator />
+							<div className="grid grid-cols-2 gap-4">
+							{USER_MANAGEMENT.map(({label, key}) => (
+								<Checkbox disabled={!canEditPermissions} key={key} isChecked={permissions.includes(key)} onChange={() => togglePermissions(key)}>
+									{ label }
+								</Checkbox>
+							)) }
+							</div>
+						</div>
+
+						<div className="flex flex-col gap-4">
+							<div className="w-full flex items-center justify-between">
+								<b>Exam Management</b>
+								<Checkbox
+									isChecked={mapBy(EXAM_MANAGEMENT, 'key').every(k => permissions.includes(k))}
+									onChange={() => mapBy(EXAM_MANAGEMENT, 'key').forEach(togglePermissions)}
+								>
+									Select all
+								</Checkbox>
+							</div>
+							<Separator />
+							<div className="grid grid-cols-2 gap-4">
+							{EXAM_MANAGEMENT.map(({label, key}) => (
+								<Checkbox disabled={!canEditPermissions} key={key} isChecked={permissions.includes(key)} onChange={() => togglePermissions(key)}>
+									{ label }
+								</Checkbox>
+							)) }
+							</div>
+						</div>
+
+						<div className="flex flex-col gap-4">
+							<div className="w-full flex items-center justify-between">
+								<b>Clasroom Management</b>
+								<Checkbox
+									isChecked={mapBy(CLASSROOM_MANAGEMENT, 'key').every(k => permissions.includes(k))}
+									onChange={() => mapBy(CLASSROOM_MANAGEMENT, 'key').forEach(togglePermissions)}
+								>
+									Select all
+								</Checkbox>
+							</div>
+							<Separator />
+							<div className="grid grid-cols-2 gap-4">
+							{CLASSROOM_MANAGEMENT.map(({label, key}) => (
+								<Checkbox disabled={!canEditPermissions} key={key} isChecked={permissions.includes(key)} onChange={() => togglePermissions(key)}>
+									{ label }
+								</Checkbox>
+							)) }
+							</div>
+						</div>
+
+						<div className="flex flex-col gap-4">
+							<div className="w-full flex items-center justify-between">
+								<b>Entity Management</b>
+								<Checkbox
+									isChecked={mapBy(ENTITY_MANAGEMENT, 'key').every(k => permissions.includes(k))}
+									onChange={() => mapBy(ENTITY_MANAGEMENT, 'key').forEach(togglePermissions)}
+								>
+									Select all
+								</Checkbox>
+							</div>
+							<Separator />
+							<div className="grid grid-cols-2 gap-4">
+							{ENTITY_MANAGEMENT.map(({label, key}) => (
+								<Checkbox disabled={!canEditPermissions} key={key} isChecked={permissions.includes(key)} onChange={() => togglePermissions(key)}>
+									{ label }
+								</Checkbox>
+							)) }
+							</div>
+						</div>
+					</section>
+				</section>
+			</Layout>
+		</>
+	);
+}
--- a/src/pages/entities/[id]/roles/index.tsx
+++ b/src/pages/entities/[id]/roles/index.tsx
@@ -0,0 +1,158 @@
+/* eslint-disable @next/next/no-img-element */
+import CardList from "@/components/High/CardList";
+import Layout from "@/components/High/Layout";
+import Tooltip from "@/components/Low/Tooltip";
+import { useEntityPermission } from "@/hooks/useEntityPermissions";
+import {useListSearch} from "@/hooks/useListSearch";
+import usePagination from "@/hooks/usePagination";
+import {Entity, EntityWithRoles, Role} from "@/interfaces/entity";
+import {GroupWithUsers, User} from "@/interfaces/user";
+import {sessionOptions} from "@/lib/session";
+import {USER_TYPE_LABELS} from "@/resources/user";
+import { redirect, serialize } from "@/utils";
+import { requestUser } from "@/utils/api";
+import {getEntityWithRoles} from "@/utils/entities.be";
+import {convertToUsers, getGroup} from "@/utils/groups.be";
+import {shouldRedirectHome} from "@/utils/navigation.disabled";
+import {checkAccess, doesEntityAllow, getTypesOfUser} from "@/utils/permissions";
+import {getUserName} from "@/utils/users";
+import {getEntityUsers, getLinkedUsers, getSpecificUsers} from "@/utils/users.be";
+import axios from "axios";
+import clsx from "clsx";
+import {withIronSessionSsr} from "iron-session/next";
+import moment from "moment";
+import Head from "next/head";
+import Link from "next/link";
+import {useRouter} from "next/router";
+import {Divider} from "primereact/divider";
+import {useEffect, useMemo, useState} from "react";
+import {
+	BsChevronLeft,
+	BsClockFill,
+	BsEnvelopeFill,
+	BsFillPersonVcardFill,
+	BsPlus,
+	BsSquare,
+	BsStopwatchFill,
+	BsTag,
+	BsTrash,
+	BsX,
+} from "react-icons/bs";
+import {toast, ToastContainer} from "react-toastify";
+
+export const getServerSideProps = withIronSessionSsr(async ({req, res, params}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")
+
+	if (shouldRedirectHome(user)) return redirect("/")
+
+	const {id} = params as {id: string};
+
+	const entity = await getEntityWithRoles(id);
+	if (!entity) return redirect("/entities")
+	if (!doesEntityAllow(user, entity, "view_entity_roles")) return redirect(`/entities/${id}`)
+
+	const users = await getEntityUsers(id);
+
+	return {
+		props: serialize({
+			user,
+			entity,
+			roles: entity.roles,
+			users,
+		}),
+	};
+}, sessionOptions);
+
+interface Props {
+	user: User;
+	entity: EntityWithRoles;
+	roles: Role[];
+	users: User[];
+}
+
+export default function Home({user, entity, roles, users}: Props) {
+	const router = useRouter();
+
+	const canCreateRole = useEntityPermission(user, entity, "create_entity_role")
+
+	const createRole = () => {
+		if (!canCreateRole) return
+		const label = prompt("What is the name of this new role?")
+		if (!label) return
+
+		axios.post<Role>('/api/roles', {label, permissions: [], entityID: entity.id})
+			.then((result) => {
+				toast.success(`'${label}' role created successfully!`)
+				router.push(`/entities/${entity.id}/roles/${result.data.id}`)
+			})
+			.catch(() => {
+				toast.error("Something went wrong!")
+			})
+	}
+
+	const firstCard = () => (
+		<button
+			onClick={createRole}
+			className="p-4 border hover:text-mti-purple rounded-xl flex flex-col items-center justify-center gap-0 hover:border-mti-purple transition ease-in-out duration-300 text-left cursor-pointer">
+			<BsPlus size={40} />
+			<span className="font-semibold">Create Role</span>
+		</button>
+	);
+
+	const renderCard = (role: Role) => {
+		const usersWithRole = users.filter((x) => x.entities.map((x) => x.role).includes(role.id));
+
+		return (
+			<Link
+				href={`/entities/${entity.id}/roles/${role.id}`}
+				key={role.id}
+				className={clsx(
+					"p-4 pr-6 h-fit relative border rounded-xl flex flex-col gap-3  text-left cursor-pointer",
+					"hover:border-mti-purple transition ease-in-out duration-300",
+				)}>
+				<div className="flex flex-col">
+					<span className="font-semibold">{role.label}</span>
+					<span className="opacity-80 text-sm">{usersWithRole.length} members</span>
+				</div>
+
+				<b>{role.permissions.length} Permissions</b>
+			</Link>
+		);
+	};
+
+	return (
+		<>
+			<Head>
+				<title>{entity.label} | EnCoach</title>
+				<meta
+					name="description"
+					content="A training platform for the IELTS exam provided by the Muscat Training Institute and developed by eCrop."
+				/>
+				<meta name="viewport" content="width=device-width, initial-scale=1" />
+				<link rel="icon" href="/favicon.ico" />
+			</Head>
+			<ToastContainer />
+			<Layout user={user}>
+				<section className="flex flex-col gap-0">
+					<div className="flex flex-col gap-3">
+						<div className="flex items-end justify-between">
+							<div className="flex items-center gap-2">
+								<Link
+									href={`/entities/${entity.id}`}
+									className="text-mti-purple hover:text-mti-purple-dark transition ease-in-out duration-300 text-xl">
+									<BsChevronLeft />
+								</Link>
+								<h2 className="font-bold text-2xl">{entity.label}</h2>
+							</div>
+						</div>
+					</div>
+					<Divider />
+					<span className="font-semibold text-xl mb-4">Roles</span>
+
+					<CardList list={roles} searchFields={[["label"]]} renderCard={renderCard} firstCard={canCreateRole ? firstCard : undefined} />
+				</section>
+			</Layout>
+		</>
+	);
+}
--- a/src/pages/entities/[id]/settings.tsx
+++ b/src/pages/entities/[id]/settings.tsx
@@ -1,232 +0,0 @@
-/* eslint-disable @next/next/no-img-element */
-import CardList from "@/components/High/CardList";
-import Layout from "@/components/High/Layout";
-import Tooltip from "@/components/Low/Tooltip";
-import {useListSearch} from "@/hooks/useListSearch";
-import usePagination from "@/hooks/usePagination";
-import {Entity, EntityWithRoles, Role} from "@/interfaces/entity";
-import {GroupWithUsers, User} from "@/interfaces/user";
-import {sessionOptions} from "@/lib/session";
-import {USER_TYPE_LABELS} from "@/resources/user";
-import {getEntityWithRoles} from "@/utils/entities.be";
-import {convertToUsers, getGroup} from "@/utils/groups.be";
-import {shouldRedirectHome} from "@/utils/navigation.disabled";
-import {checkAccess, getTypesOfUser} from "@/utils/permissions";
-import {getUserName} from "@/utils/users";
-import {getEntityUsers, getLinkedUsers, getSpecificUsers} from "@/utils/users.be";
-import axios from "axios";
-import clsx from "clsx";
-import {withIronSessionSsr} from "iron-session/next";
-import moment from "moment";
-import Head from "next/head";
-import Link from "next/link";
-import {useRouter} from "next/router";
-import {Divider} from "primereact/divider";
-import {useEffect, useMemo, useState} from "react";
-import {
-	BsChevronLeft,
-	BsClockFill,
-	BsEnvelopeFill,
-	BsFillPersonVcardFill,
-	BsPlus,
-	BsSquare,
-	BsStopwatchFill,
-	BsTag,
-	BsTrash,
-	BsX,
-} from "react-icons/bs";
-import {toast, ToastContainer} from "react-toastify";
-
-export const getServerSideProps = withIronSessionSsr(async ({req, params}) => {
-	const user = req.session.user as User;
-
-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
-
-	const {id} = params as {id: string};
-
-	const entityWithRoles = await getEntityWithRoles(id);
-	if (!entityWithRoles || (checkAccess(user, getTypesOfUser(["admin", "developer"])) && !user.entities.map((x) => x.id).includes(id))) {
-		return {
-			redirect: {
-				destination: "/entities",
-				permanent: false,
-			},
-		};
-	}
-
-	const {entity, roles} = entityWithRoles;
-
-	const linkedUsers = await getLinkedUsers(user.id, user.type);
-	const users = await getEntityUsers(id);
-
-	return {
-		props: {
-			user,
-			entity: JSON.parse(JSON.stringify(entity)),
-			roles: JSON.parse(JSON.stringify(roles)),
-			users: JSON.parse(JSON.stringify(users)),
-			linkedUsers: JSON.parse(JSON.stringify(linkedUsers.users)),
-		},
-	};
-}, sessionOptions);
-
-interface Props {
-	user: User;
-	entity: Entity;
-	roles: Role[];
-	users: User[];
-	linkedUsers: User[];
-}
-
-export default function Home({user, entity, roles, users, linkedUsers}: Props) {
-	const [isEditing, setIsEditing] = useState(false);
-	const [isLoading, setIsLoading] = useState(false);
-
-	const router = useRouter();
-
-	const allowEntityEdit = useMemo(() => checkAccess(user, ["admin", "developer"]), [user]);
-
-	const renameGroup = () => {
-		if (!allowEntityEdit) return;
-
-		const name = prompt("Rename this entity:", entity.label);
-		if (!name) return;
-
-		setIsLoading(true);
-		axios
-			.patch(`/api/entities/${entity.id}`, {name})
-			.then(() => {
-				toast.success("The entity has been updated successfully!");
-				router.replace(router.asPath);
-			})
-			.catch((e) => {
-				console.error(e);
-				toast.error("Something went wrong!");
-			})
-			.finally(() => setIsLoading(false));
-	};
-
-	const deleteGroup = () => {
-		if (!allowEntityEdit) return;
-		if (!confirm("Are you sure you want to delete this entity?")) return;
-
-		setIsLoading(true);
-
-		axios
-			.delete(`/api/entities/${entity.id}`)
-			.then(() => {
-				toast.success("This entity has been successfully deleted!");
-				router.replace("/entities");
-			})
-			.catch((e) => {
-				console.error(e);
-				toast.error("Something went wrong!");
-			})
-			.finally(() => setIsLoading(false));
-	};
-
-	const firstCard = () => (
-		<Link
-			href={`/entities/${entity.id}/role`}
-			className="p-4 border hover:text-mti-purple rounded-xl flex flex-col items-center justify-center gap-0 hover:border-mti-purple transition ease-in-out duration-300 text-left cursor-pointer">
-			<BsPlus size={40} />
-			<span className="font-semibold">Create Role</span>
-		</Link>
-	);
-
-	const renderCard = (role: Role) => {
-		const usersWithRole = users.filter((x) => x.entities.map((x) => x.role).includes(role.id));
-
-		return (
-			<button
-				disabled={!allowEntityEdit}
-				key={role.id}
-				className={clsx(
-					"p-4 pr-6 h-48 relative border rounded-xl flex flex-col gap-3  text-left cursor-pointer",
-					"hover:border-mti-purple transition ease-in-out duration-300",
-				)}>
-				<div className="flex flex-col">
-					<span className="font-semibold">{role.label}</span>
-					<span className="opacity-80 text-sm">{usersWithRole.length} members</span>
-				</div>
-
-				<b>Permissions ({role.permissions.length}): </b>
-				<span>
-					{role.permissions.slice(0, 5).join(", ")}
-					{role.permissions.length > 5 ? <span className="opacity-60"> and {role.permissions.length - 5} more</span> : ""}
-				</span>
-			</button>
-		);
-	};
-
-	return (
-		<>
-			<Head>
-				<title>{entity.label} | EnCoach</title>
-				<meta
-					name="description"
-					content="A training platform for the IELTS exam provided by the Muscat Training Institute and developed by eCrop."
-				/>
-				<meta name="viewport" content="width=device-width, initial-scale=1" />
-				<link rel="icon" href="/favicon.ico" />
-			</Head>
-			<ToastContainer />
-			{user && (
-				<Layout user={user}>
-					<section className="flex flex-col gap-0">
-						<div className="flex flex-col gap-3">
-							<div className="flex items-end justify-between">
-								<div className="flex items-center gap-2">
-									<Link
-										href={`/entities/${entity.id}`}
-										className="text-mti-purple hover:text-mti-purple-dark transition ease-in-out duration-300 text-xl">
-										<BsChevronLeft />
-									</Link>
-									<h2 className="font-bold text-2xl">{entity.label}</h2>
-								</div>
-							</div>
-							{allowEntityEdit && !isEditing && (
-								<div className="flex items-center gap-2">
-									<button
-										onClick={renameGroup}
-										disabled={isLoading}
-										className="flex items-center gap-1 px-2 py-2 border rounded-full hover:bg-neutral-100 disabled:hover:bg-transparent disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
-										<BsTag />
-										<span className="text-xs">Rename Entity</span>
-									</button>
-									<button
-										onClick={deleteGroup}
-										disabled={isLoading}
-										className="flex items-center gap-1 px-2 py-2 border border-mti-rose rounded-full bg-mti-rose-light text-white hover:bg-mti-rose-dark disabled:hover:bg-mti-rose-light disabled:opacity-50 disabled:cursor-not-allowed cursor-pointer transition ease-in-out duration-300">
-										<BsTrash />
-										<span className="text-xs">Delete Entity</span>
-									</button>
-								</div>
-							)}
-						</div>
-						<Divider />
-						<span className="font-semibold text-xl mb-4">Roles</span>
-
-						<CardList list={roles} searchFields={[["label"]]} renderCard={renderCard} firstCard={firstCard} />
-					</section>
-				</Layout>
-			)}
-		</>
-	);
-}
--- a/src/pages/entities/index.tsx
+++ b/src/pages/entities/index.tsx
@@ -17,29 +17,16 @@ import CardList from "@/components/High/CardList";
 import {getEntitiesWithRoles} from "@/utils/entities.be";
 import {EntityWithRoles} from "@/interfaces/entity";
 import Separator from "@/components/Low/Separator";
+import { requestUser } from "@/utils/api";
+import { redirect } from "@/utils";

 type EntitiesWithCount = {entity: EntityWithRoles; users: User[]; count: number};

-export const getServerSideProps = withIronSessionSsr(async ({req}) => {
-	const user = req.session.user;
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	const entities = await getEntitiesWithRoles(
 		checkAccess(user, getTypesOfUser(["admin", "developer"])) ? user.entities.map((x) => x.id) : undefined,
@@ -99,18 +86,21 @@ export default function Home({user, entities}: Props) {
 				<link rel="icon" href="/favicon.ico" />
 			</Head>
 			<ToastContainer />
-			{user && (
-				<Layout user={user} className="!gap-4">
-					<section className="flex flex-col gap-4 w-full h-full">
-						<div className="flex flex-col gap-4">
-							<h2 className="font-bold text-2xl">Entities</h2>
-							<Separator />
-						</div>
+			<Layout user={user} className="!gap-4">
+				<section className="flex flex-col gap-4 w-full h-full">
+					<div className="flex flex-col gap-4">
+						<h2 className="font-bold text-2xl">Entities</h2>
+						<Separator />
+					</div>

-						<CardList<EntitiesWithCount> list={entities} searchFields={SEARCH_FIELDS} renderCard={renderCard} firstCard={firstCard} />
-					</section>
-				</Layout>
-			)}
+					<CardList<EntitiesWithCount>
+						list={entities}
+						searchFields={SEARCH_FIELDS}
+						renderCard={renderCard}
+						firstCard={["admin", "developer"].includes(user.type) ? firstCard : undefined}
+					/>
+				</section>
+			</Layout>
 		</>
 	);
 }
--- a/src/pages/exam.tsx
+++ b/src/pages/exam.tsx
@@ -6,30 +6,17 @@ import {shouldRedirectHome} from "@/utils/navigation.disabled";
 import ExamPage from "./(exam)/ExamPage";
 import Head from "next/head";
 import {User} from "@/interfaces/user";
+import { redirect, serialize } from "@/utils";
+import { requestUser } from "@/utils/api";

-export const getServerSideProps = withIronSessionSsr(({req, res}) => {
-	const user = req.session.user;
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	return {
-		props: {user: req.session.user},
+		props: serialize({user}),
 	};
 }, sessionOptions);

--- a/src/pages/exercises.tsx
+++ b/src/pages/exercises.tsx
@@ -6,30 +6,17 @@ import {shouldRedirectHome} from "@/utils/navigation.disabled";
 import ExamPage from "./(exam)/ExamPage";
 import Head from "next/head";
 import {User} from "@/interfaces/user";
+import { redirect, serialize } from "@/utils";
+import { requestUser } from "@/utils/api";

-export const getServerSideProps = withIronSessionSsr(({req, res}) => {
-	const user = req.session.user;
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	return {
-		props: {user: req.session.user},
+		props: serialize({user}),
 	};
 }, sessionOptions);

--- a/src/pages/generation.tsx
+++ b/src/pages/generation.tsx
@@ -23,30 +23,18 @@ import LevelGeneration from "./(generation)/LevelGeneration";
 import SpeakingGeneration from "./(generation)/SpeakingGeneration";
 import {checkAccess} from "@/utils/permissions";
 import {User} from "@/interfaces/user";
+import { redirect, serialize } from "@/utils";
+import { requestUser } from "@/utils/api";

-export const getServerSideProps = withIronSessionSsr(({req, res}) => {
-	const user = req.session.user;
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user) || !checkAccess(user, ["admin", "mastercorporate", "developer", "corporate"])) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user) || !checkAccess(user, ["admin", "mastercorporate", "developer", "corporate"]))
+		return redirect("/")

 	return {
-		props: {user: req.session.user},
+		props: serialize({user}),
 	};
 }, sessionOptions);

--- a/src/pages/index.tsx
+++ b/src/pages/index.tsx
@@ -1,25 +1,14 @@
 import {User} from "@/interfaces/user";
 import {sessionOptions} from "@/lib/session";
+import { redirect } from "@/utils";
+import { requestUser } from "@/utils/api";
 import {withIronSessionSsr} from "iron-session/next";

 export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
-	const user = req.session.user as User | undefined;
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	return {
-		redirect: {
-			destination: `/dashboard/${user.type}`,
-			permanent: false,
-		},
-	};
+	return redirect(`/dashboard/${user.type}`)
 }, sessionOptions);

 export default function Dashboard() {
--- a/src/pages/login.tsx
+++ b/src/pages/login.tsx
@@ -15,30 +15,17 @@ import {useRouter} from "next/router";
 import EmailVerification from "./(auth)/EmailVerification";
 import {withIronSessionSsr} from "iron-session/next";
 import {sessionOptions} from "@/lib/session";
+import { requestUser } from "@/utils/api";
+import { redirect } from "@/utils";

 const EMAIL_REGEX = new RegExp(/^[a-zA-Z0-9]+(?:\.[a-zA-Z0-9]+)*@[a-zA-Z0-9]+(?:\.[a-zA-Z0-9]+)*$/g);

-export const getServerSideProps = withIronSessionSsr(({req, res}) => {
-	const user = req.session.user;
-
-	const envVariables: {[key: string]: string} = {};
-	Object.keys(process.env)
-		.filter((x) => x.startsWith("NEXT_PUBLIC"))
-		.forEach((x: string) => {
-			envVariables[x] = process.env[x]!;
-		});
-
-	if (user) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (user) return redirect("/")

 	return {
-		props: {user: null, envVariables},
+		props: {user: null},
 	};
 }, sessionOptions);

--- a/src/pages/payment-record.tsx
+++ b/src/pages/payment-record.tsx
@@ -31,30 +31,19 @@ import {CSVLink} from "react-csv";
 import {Tab} from "@headlessui/react";
 import {useListSearch} from "@/hooks/useListSearch";
 import {checkAccess, getTypesOfUser} from "@/utils/permissions";
+import { requestUser } from "@/utils/api";
+import { redirect } from "@/utils";

-export const getServerSideProps = withIronSessionSsr(({req, res}) => {
-	const user = req.session.user;
-
-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

 	if (shouldRedirectHome(user) || checkAccess(user, getTypesOfUser(["admin", "developer", "agent", "corporate", "mastercorporate"]))) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
+		return redirect("/")
 	}

 	return {
-		props: {user: req.session.user},
+		props: {user},
 	};
 }, sessionOptions);

--- a/src/pages/payment.tsx
+++ b/src/pages/payment.tsx
@@ -5,32 +5,19 @@ import {sessionOptions} from "@/lib/session";
 import useUser from "@/hooks/useUser";
 import PaymentDue from "./(status)/PaymentDue";
 import {useRouter} from "next/router";
+import { requestUser } from "@/utils/api";
+import { redirect } from "@/utils";

-export const getServerSideProps = withIronSessionSsr(({req, res}) => {
-	const user = req.session.user;
-
-	const envVariables: {[key: string]: string} = {};
-	Object.keys(process.env)
-		.filter((x) => x.startsWith("NEXT_PUBLIC"))
-		.forEach((x: string) => {
-			envVariables[x] = process.env[x]!;
-		});
-
-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

 	return {
-		props: {user: req.session.user, envVariables},
+		props: {user},
 	};
 }, sessionOptions);

-export default function Home({envVariables}: {envVariables: {[key: string]: string}}) {
+export default function Home() {
 	const {user} = useUser({redirectTo: "/login"});
 	const router = useRouter();

--- a/src/pages/permissions/[id].tsx
+++ b/src/pages/permissions/[id].tsx
@@ -16,6 +16,8 @@ import axios from "axios";
 import {toast, ToastContainer} from "react-toastify";
 import {Type as UserType} from "@/interfaces/user";
 import {getGroups} from "@/utils/groups.be";
+import { requestUser } from "@/utils/api";
+import { redirect } from "@/utils";
 interface BasicUser {
 	id: string;
 	name: string;
@@ -28,36 +30,13 @@ interface PermissionWithBasicUsers {
 	users: BasicUser[];
 }

-export const getServerSideProps = withIronSessionSsr(async (context) => {
-	const {req, params} = context;
-	const user = req.session.user;
+export const getServerSideProps = withIronSessionSsr(async ({req, res, params}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
-
-	if (!params?.id) {
-		return {
-			redirect: {
-				destination: "/permissions",
-				permanent: false,
-			},
-		};
-	}
+	if (!params?.id) return redirect("/permissions")

 	// Fetch data from external API
 	const permission: Permission = await getPermissionDoc(params.id as string);
@@ -100,7 +79,7 @@ export const getServerSideProps = withIronSessionSsr(async (context) => {
 				id: params.id,
 				users: usersData,
 			},
-			user: req.session.user,
+			user,
 			users: filteredUsers,
 		},
 	};
--- a/src/pages/permissions/index.tsx
+++ b/src/pages/permissions/index.tsx
@@ -8,27 +8,14 @@ import {getPermissionDocs} from "@/utils/permissions.be";
 import {User} from "@/interfaces/user";
 import Layout from "@/components/High/Layout";
 import PermissionList from "@/components/PermissionList";
+import { requestUser } from "@/utils/api";
+import { redirect } from "@/utils";

-export const getServerSideProps = withIronSessionSsr(async ({req}) => {
-	const user = req.session.user;
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	// Fetch data from external API
 	const permissions: Permission[] = await getPermissionDocs();
@@ -51,7 +38,7 @@ export const getServerSideProps = withIronSessionSsr(async ({req}) => {
 				const {users, ...rest} = p;
 				return rest;
 			}),
-			user: req.session.user,
+			user,
 		},
 	};
 }, sessionOptions);
--- a/src/pages/profile.tsx
+++ b/src/pages/profile.tsx
@@ -29,7 +29,7 @@ import {BsCamera, BsQuestionCircleFill} from "react-icons/bs";
 import {USER_TYPE_LABELS} from "@/resources/user";
 import useGroups from "@/hooks/useGroups";
 import useUsers from "@/hooks/useUsers";
-import {convertBase64} from "@/utils";
+import {convertBase64, redirect} from "@/utils";
 import {Divider} from "primereact/divider";
 import GenderInput from "@/components/High/GenderInput";
 import EmploymentStatusInput from "@/components/High/EmploymentStatusInput";
@@ -46,27 +46,13 @@ import {checkAccess, getTypesOfUser} from "@/utils/permissions";
 import {getParticipantGroups, getUserCorporate} from "@/utils/groups.be";
 import {InferGetServerSidePropsType} from "next";
 import {getUsers} from "@/utils/users.be";
+import { requestUser } from "@/utils/api";

 export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
-	const user = req.session.user;
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	return {
 		props: {
--- a/src/pages/record.tsx
+++ b/src/pages/record.tsx
@@ -25,7 +25,7 @@ import {Assignment} from "@/interfaces/results";
 import {getEntitiesUsers, getUsers} from "@/utils/users.be";
 import {getAssignments, getAssignmentsByAssigner, getEntitiesAssignments} from "@/utils/assignments.be";
 import useGradingSystem from "@/hooks/useGrading";
-import { mapBy, serialize } from "@/utils";
+import { mapBy, redirect, serialize } from "@/utils";
 import { getEntitiesWithRoles } from "@/utils/entities.be";
 import { checkAccess } from "@/utils/permissions";
 import { getGroups, getGroupsByEntities } from "@/utils/groups.be";
@@ -34,27 +34,13 @@ import { Grading } from "@/interfaces";
 import { EntityWithRoles } from "@/interfaces/entity";
 import { useListSearch } from "@/hooks/useListSearch";
 import CardList from "@/components/High/CardList";
+import { requestUser } from "@/utils/api";

 export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
-	const user = req.session.user;
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	const entityIDs = mapBy(user.entities, 'id')

--- a/src/pages/settings.tsx
+++ b/src/pages/settings.tsx
@@ -29,28 +29,16 @@ import { Permission, PermissionType } from "@/interfaces/permissions";
 import { getUsers } from "@/utils/users.be";
 import useUsers from "@/hooks/useUsers";
 import { getEntitiesWithRoles, getEntityWithRoles } from "@/utils/entities.be";
-import { mapBy, serialize } from "@/utils";
+import { mapBy, serialize, redirect } from "@/utils";
 import { EntityWithRoles } from "@/interfaces/entity";
+import { requestUser } from "@/utils/api";

 export const getServerSideProps = withIronSessionSsr(async ({ req, res }) => {
-  const user = req.session.user as User;
-  if (!user) {
-    return {
-      redirect: {
-        destination: "/login",
-        permanent: false,
-      },
-    };
-  }
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-  if (shouldRedirectHome(user) || !checkAccess(user, ["admin", "developer", "corporate", "teacher", "mastercorporate"])) {
-    return {
-      redirect: {
-        destination: "/",
-        permanent: false,
-      },
-    };
-  }
+  if (shouldRedirectHome(user) || !checkAccess(user, ["admin", "developer", "corporate", "teacher", "mastercorporate"]))
+    return redirect("/")

  const permissions = await getUserPermissions(user.id);
  const entities = await getEntitiesWithRoles(mapBy(user.entities, 'id')) || []
--- a/src/pages/stats.tsx
+++ b/src/pages/stats.tsx
@@ -25,38 +25,24 @@ import moment from "moment";
 import {Group, Stat, User} from "@/interfaces/user";
 import {Divider} from "primereact/divider";
 import Badge from "@/components/Low/Badge";
-import { mapBy, serialize } from "@/utils";
+import { mapBy, redirect, serialize } from "@/utils";
 import { getEntitiesWithRoles } from "@/utils/entities.be";
 import { checkAccess } from "@/utils/permissions";
 import { getEntitiesUsers, getUsers } from "@/utils/users.be";
 import { EntityWithRoles } from "@/interfaces/entity";
 import { getGroups, getGroupsByEntities } from "@/utils/groups.be";
 import Select from "@/components/Low/Select";
+import { requestUser } from "@/utils/api";

 ChartJS.register(LinearScale, CategoryScale, PointElement, LineElement, LineController, Legend, Tooltip);

 const COLORS = ["#1EB3FF", "#FF790A", "#3D9F11", "#EF5DA8", "#414288"];

 export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
-	const user = req.session.user as User;
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	const entityIDs = mapBy(user.entities, 'id')
 	const entities = await getEntitiesWithRoles(checkAccess(user, ["admin", "developer"]) ? undefined : entityIDs)
--- a/src/pages/tickets.tsx
+++ b/src/pages/tickets.tsx
@@ -16,32 +16,20 @@ import Head from "next/head";
 import {useEffect, useState} from "react";
 import {BsArrowDown, BsArrowUp} from "react-icons/bs";
 import {ToastContainer} from "react-toastify";
+import { requestUser } from "@/utils/api";
+import { redirect } from "@/utils";

 const columnHelper = createColumnHelper<TicketWithCorporate>();

-export const getServerSideProps = withIronSessionSsr(({req, res}) => {
-	const user = req.session.user;
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user) || !["admin", "developer", "agent"].includes(user.type)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user) || !["admin", "developer", "agent"].includes(user.type))
+		return redirect("/")

 	return {
-		props: {user: req.session.user},
+		props: {user},
 	};
 }, sessionOptions);

--- a/src/pages/training/[id]/index.tsx
+++ b/src/pages/training/[id]/index.tsx
@@ -31,30 +31,17 @@ import {uniqBy} from "lodash";
 import {getExamById} from "@/utils/exams";
 import {convertToUserSolutions} from "@/utils/stats";
 import {sortByModule} from "@/utils/moduleUtils";
+import { requestUser } from "@/utils/api";
+import { redirect, serialize } from "@/utils";

-export const getServerSideProps = withIronSessionSsr(({req, res}) => {
-	const user = req.session.user;
+export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) redirect("/")

 	return {
-		props: {user: req.session.user},
+		props: serialize({user}),
 	};
 }, sessionOptions);

--- a/src/pages/training/index.tsx
+++ b/src/pages/training/index.tsx
@@ -20,33 +20,19 @@ import TrainingScore from "@/training/TrainingScore";
 import ModuleBadge from "@/components/ModuleBadge";
 import RecordFilter from "@/components/Medium/RecordFilter";
 import useFilterRecordsByUser from "@/hooks/useFilterRecordsByUser";
-import { mapBy, serialize } from "@/utils";
+import { mapBy, redirect, serialize } from "@/utils";
 import { getEntitiesWithRoles } from "@/utils/entities.be";
 import { getAssignmentsByAssignee } from "@/utils/assignments.be";
 import { getEntitiesUsers } from "@/utils/users.be";
 import { EntityWithRoles } from "@/interfaces/entity";
 import { Assignment } from "@/interfaces/results";
+import { requestUser } from "@/utils/api";

 export const getServerSideProps = withIronSessionSsr(async ({req, res}) => {
-	const user = req.session.user as User;
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
-
-	if (shouldRedirectHome(user)) {
-		return {
-			redirect: {
-				destination: "/",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	const entityIDs = mapBy(user.entities, 'id')
 	const entities = await getEntitiesWithRoles(entityIDs)
--- a/src/pages/users/index.tsx
+++ b/src/pages/users/index.tsx
@@ -4,7 +4,9 @@ import useUsers from "@/hooks/useUsers";
 import { Type, User } from "@/interfaces/user";
 import {sessionOptions} from "@/lib/session";
 import useFilterStore from "@/stores/listFilterStore";
-import { serialize } from "@/utils";
+import { redirect, serialize } from "@/utils";
+import { requestUser } from "@/utils/api";
+import { shouldRedirectHome } from "@/utils/navigation.disabled";
 import {withIronSessionSsr} from "iron-session/next";
 import Head from "next/head";
 import {useRouter} from "next/router";
@@ -13,22 +15,16 @@ import {BsArrowLeft, BsChevronLeft} from "react-icons/bs";
 import {ToastContainer} from "react-toastify";
 import UserList from "../(admin)/Lists/UserList";

-export const getServerSideProps = withIronSessionSsr(({req, res, query}) => {
-	const user = req.session.user;
+export const getServerSideProps = withIronSessionSsr(async ({req, res, query}) => {
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
+	if (shouldRedirectHome(user)) return redirect("/")

 	const {type} = query as {type?: Type}

 	return {
-		props: serialize({user: req.session.user, type}),
+		props: serialize({user, type}),
 	};
 }, sessionOptions);

--- a/src/pages/users/performance.tsx
+++ b/src/pages/users/performance.tsx
@@ -18,18 +18,12 @@ import StudentPerformanceList from "../(admin)/Lists/StudentPerformanceList";
 import Head from "next/head";
 import { ToastContainer } from "react-toastify";
 import Layout from "@/components/High/Layout";
+import { requestUser } from "@/utils/api";
+import { redirect } from "@/utils";

 export const getServerSideProps = withIronSessionSsr(async ({req, res, query}) => {
-	const user = req.session.user as User;
-
-	if (!user) {
-		return {
-			redirect: {
-				destination: "/login",
-				permanent: false,
-			},
-		};
-	}
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

 	const entityIDs = mapBy(user.entities, 'id')

--- a/src/pages/v1/index.tsx
+++ b/src/pages/v1/index.tsx
@@ -35,23 +35,17 @@ import { USER_TYPE_LABELS } from "@/resources/user";
 import { checkAccess, getTypesOfUser } from "@/utils/permissions";
 import { getUserCorporate } from "@/utils/groups.be";
 import { getUsers } from "@/utils/users.be";
+import { requestUser } from "@/utils/api";
+import { redirect, serialize } from "@/utils";

 export const getServerSideProps = withIronSessionSsr(async ({ req, res }) => {
-  const user = req.session.user as User | undefined;
-
-  if (!user) {
-    return {
-      redirect: {
-        destination: "/login",
-        permanent: false,
-      },
-    };
-  }
+	const user = await requestUser(req, res)
+	if (!user) return redirect("/login")

  const linkedCorporate = (await getUserCorporate(user.id)) || null;

  return {
-    props: { user, linkedCorporate },
+    props: serialize({ user, linkedCorporate }),
  };
 }, sessionOptions);

--- a/src/resources/entityPermissions.ts
+++ b/src/resources/entityPermissions.ts
@@ -0,0 +1,39 @@
+export type RolePermission =
+	"view_students" |
+	"view_teachers" |
+	"view_corporates" |
+	"view_mastercorporates" |
+	"edit_students" |
+	"edit_teachers" |
+	"edit_corporates" |
+	"edit_mastercorporates" |
+	"delete_students" |
+	"delete_teachers" |
+	"delete_corporates" |
+	"delete_mastercorporates" |
+	"generate_reading" |
+	"delete_reading" |
+	"generate_listening" |
+	"delete_listening" |
+	"generate_writing" |
+	"delete_writing" |
+	"generate_speaking" |
+	"delete_speaking" |
+	"generate_level" |
+	"delete_level" |
+	"view_classrooms" |
+	"create_classroom" |
+	"rename_classrooms" |
+	"add_to_classroom" |
+	"remove_from_classroom" |
+	"delete_classroom" |
+	"view_entities" | "rename_entity" |
+	"add_to_entity" |
+	"remove_from_entity" |
+	"delete_entity" |
+	"view_entity_roles" |
+	"create_entity_role" |
+	"rename_entity_role" |
+	"edit_role_permissions" |
+	"assign_to_role" |
+	"delete_entity_role";
--- a/src/utils/api.ts
+++ b/src/utils/api.ts
@@ -0,0 +1,16 @@
+import { User } from "@/interfaces/user";
+import { IncomingMessage, ServerResponse } from "http";
+import { IronSession } from "iron-session";
+import { NextApiRequest, NextApiResponse } from "next";
+import { getUser } from "./users.be";
+
+
+export async function requestUser(req: NextApiRequest | IncomingMessage, res: NextApiResponse | ServerResponse): Promise<User | undefined> {
+	if (!req.session.user) return undefined
+	const user = await getUser(req.session.user.id)
+
+	req.session.user = user
+	req.session.save()
+
+	return user
+}
--- a/src/utils/entities.be.ts
+++ b/src/utils/entities.be.ts
@@ -1,15 +1,16 @@
 import {Entity, EntityWithRoles, Role} from "@/interfaces/entity";
 import client from "@/lib/mongodb";
+import { v4 } from "uuid";
 import {getRolesByEntities, getRolesByEntity} from "./roles.be";

 const db = client.db(process.env.MONGODB_DB);

-export const getEntityWithRoles = async (id: string): Promise<{entity: Entity; roles: Role[]} | undefined> => {
+export const getEntityWithRoles = async (id: string): Promise<EntityWithRoles | undefined> => {
 	const entity = await getEntity(id);
 	if (!entity) return undefined;

 	const roles = await getRolesByEntity(id);
-	return {entity, roles};
+	return {...entity, roles};
 };

 export const getEntity = async (id: string) => {
@@ -33,3 +34,28 @@ export const getEntities = async (ids?: string[]) => {
 		.find<Entity>(ids ? {id: {$in: ids}} : {})
 		.toArray();
 };
+
+export const createEntity = async (entity: Entity) => {
+	await db.collection("entities").insertOne(entity)
+	await db.collection("roles").insertOne({
+		id: v4(),
+		label: "Default",
+		permissions: [],
+		entityID: entity.id
+	})
+}
+
+export const deleteEntity = async (entity: Entity) => {
+	await db.collection("entities").deleteOne({id: entity.id})
+	await db.collection("roles").deleteMany({entityID: entity.id})
+
+	await db.collection("users").updateMany(
+		{"entities.id": entity.id},
+		{
+			// @ts-expect-error
+			$pull: {
+				entities: {id: entity.id},
+			},
+		},
+	);
+}
--- a/src/utils/index.ts
+++ b/src/utils/index.ts
@@ -44,7 +44,15 @@ export const convertBase64 = (file: File) => {
 	});
 };

+export const redirect = (destination: string) => ({
+	redirect: {
+		destination: destination,
+		permanent: false,
+	},
+})
+
 export const mapBy = <T, K extends keyof T>(obj: T[] | undefined, key: K) => (obj || []).map((i) => i[key] as T[K]);
 export const filterBy = <T>(obj: T[], key: keyof T, value: any) => obj.filter((i) => i[key] === value);
+export const findBy = <T>(obj: T[], key: keyof T, value: any) => obj.find((i) => i[key] === value);

 export const serialize = <T>(obj: T): T => JSON.parse(JSON.stringify(obj));
--- a/src/utils/permissions.ts
+++ b/src/utils/permissions.ts
@@ -1,6 +1,9 @@
+import { EntityWithRoles, Role } from "@/interfaces/entity";
 import {PermissionType} from "@/interfaces/permissions";
 import {User, Type, userTypes} from "@/interfaces/user";
+import { RolePermission } from "@/resources/entityPermissions";
 import axios from "axios";
+import { findBy, mapBy } from ".";

 export function checkAccess(user: User, types: Type[], permissions?: PermissionType[], permission?: PermissionType) {
 	if (!user) {
@@ -8,7 +11,7 @@ export function checkAccess(user: User, types: Type[], permissions?: PermissionT
 	}

 	// if(user.type === '') {
-	if (!user.type) {
+	if (!user?.type) {
 		return false;
 	}

@@ -32,6 +35,25 @@ export function checkAccess(user: User, types: Type[], permissions?: PermissionT
 	return true;
 }

+export function findAllowedEntities(user: User, entities: EntityWithRoles[], permission: RolePermission) {
+	if (["admin", "developer"].includes(user?.type)) return entities
+
+	const allowedEntities = entities.filter((e) => doesEntityAllow(user, e, permission))
+	return allowedEntities
+}
+
+export function doesEntityAllow(user: User, entity: EntityWithRoles, permission: RolePermission) {
+	if (["admin", "developer"].includes(user?.type)) return true
+
+	const userEntity = findBy(user.entities, 'id', entity.id)
+	if (!userEntity) return false
+
+	const role = findBy(entity.roles, 'id', userEntity.role)
+	if (!role) return false
+
+	return role.permissions.includes(permission)
+}
+
 export function getTypesOfUser(types: Type[]) {
 	// basicly generate a list of all types except the excluded ones
 	return userTypes.filter((userType) => {
--- a/src/utils/roles.be.ts
+++ b/src/utils/roles.be.ts
@@ -11,4 +11,24 @@ export const getRolesByEntities = async (entityIDs: string[]) =>

 export const getRolesByEntity = async (entityID: string) => await db.collection("roles").find<Role>({entityID}).toArray();

+export const getRoles = async (ids?: string[]) => await db.collection("roles").find<Role>(!ids ? {} : {id: {$in: ids}}).toArray();
 export const getRole = async (id: string) => (await db.collection("roles").findOne<Role>({id})) ?? undefined;
+
+export const createRole = async (role: Role) => await db.collection("roles").insertOne(role)
+export const deleteRole = async (id: string) => await db.collection("roles").deleteOne({id})
+
+export const transferRole = async (previousRole: string, newRole: string) =>
+	await db.collection("users")
+		.updateMany(
+			{ "entities.role": previousRole },
+			{ $set: { 'entities.$[elem].role': newRole } },
+			{ arrayFilters: [{ 'elem.role': previousRole }] }
+		);
+
+export const assignRoleToUsers = async (users: string[], entity: string, newRole: string) =>
+	await db.collection("users")
+		.updateMany(
+			{ id: { $in: users } },
+			{ $set: { 'entities.$[elem].role': newRole } },
+			{ arrayFilters: [{ 'elem.id': entity }] }
+		);
--- a/src/utils/users.be.ts
+++ b/src/utils/users.be.ts
@@ -46,16 +46,16 @@ export async function getSpecificUsers(ids: string[]) {
    .toArray();
 }

-export async function getEntityUsers(id: string, limit?: number) {
+export async function getEntityUsers(id: string, limit?: number, filter?: object) {
  return await db
    .collection("users")
-    .find<User>({ "entities.id": id })
+		.find<User>({ "entities.id": id, ...(filter || {}) })
    .limit(limit || 0)
    .toArray();
 }

-export async function countEntityUsers(id: string) {
-  return await db.collection("users").countDocuments({ "entities.id": id });
+export async function countEntityUsers(id: string, filter?: object) {
+	return await db.collection("users").countDocuments({ "entities.id": id, ...(filter || {}) });
 }

 export async function getEntitiesUsers(ids: string[], filter?: object, limit?: number) {