flutter-news-app-full-source-code · fulleni · Nov 22, 2025 · Nov 22, 2025 · Nov 22, 2025 · Nov 22, 2025
diff --git a/lib/src/rbac/permissions.dart b/lib/src/rbac/permissions.dart
@@ -89,6 +89,9 @@ abstract class Permissions {
       'push_notification_device.create_owned';
   static const String pushNotificationDeviceDeleteOwned =
       'push_notification_device.delete_owned';
+  // Allows reading the user's own push notification devices.
+  static const String pushNotificationDeviceReadOwned =
+      'push_notification_device.read_owned';
 
   // In-App Notification Permissions (User-owned)
   /// Allows reading the user's own in-app notifications.

diff --git a/lib/src/rbac/role_permissions.dart b/lib/src/rbac/role_permissions.dart
@@ -24,6 +24,7 @@ final Set<String> _appGuestUserPermissions = {
   // notifications.
   Permissions.pushNotificationDeviceCreateOwned,
   Permissions.pushNotificationDeviceDeleteOwned,
+  Permissions.pushNotificationDeviceReadOwned,
   // Allow all app users to manage their own in-app notifications.
   Permissions.inAppNotificationReadOwned,
   Permissions.inAppNotificationUpdateOwned,

diff --git a/lib/src/registry/data_operation_registry.dart b/lib/src/registry/data_operation_registry.dart
@@ -184,6 +184,13 @@ class DataOperationRegistry {
             sort: s,
             pagination: p,
           ),
+      'push_notification_device': (c, uid, f, s, p) =>
+          c.read<DataRepository<PushNotificationDevice>>().readAll(
+                userId: uid,
+                filter: f,
+                sort: s,
+                pagination: p,
+              ),
     });
 
     // --- Register Item Creators ---

diff --git a/lib/src/registry/model_registry.dart b/lib/src/registry/model_registry.dart
@@ -429,12 +429,19 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
     fromJson: PushNotificationDevice.fromJson,
     getId: (d) => d.id,
     getOwnerId: (dynamic item) => (item as PushNotificationDevice).userId,
+    // Collection GET is allowed for a user to fetch their own notification devices.
+    // The generic route handler will automatically scope the query to the
+    // authenticated user's ID because `getOwnerId` is defined.
     getCollectionPermission: const ModelActionPermission(
-      type: RequiredPermissionType.unsupported,
+      type: RequiredPermissionType.specificPermission,
+      permission: Permissions.pushNotificationDeviceReadOwned,
     ),
-    // Required by the ownership check middelware
+    // Item GET is allowed for a user to fetch a single one of their devices.
+    // The ownership check middleware will verify they own this specific item.
     getItemPermission: const ModelActionPermission(
-      type: RequiredPermissionType.adminOnly,
+      type: RequiredPermissionType.specificPermission,
+      permission: Permissions.pushNotificationDeviceReadOwned,
+      requiresOwnershipCheck: true,
     ),
     // POST is allowed for any authenticated user to register their own device.
     // A custom check within the DataOperationRegistry's creator function will

diff --git a/lib/src/services/database_seeding_service.dart b/lib/src/services/database_seeding_service.dart
@@ -248,6 +248,12 @@ class DatabaseSeedingService {
             'unique': true,
             'sparse': true,
           },
+          {
+            // Optimizes fetching all devices for a specific user, which is
+            // needed for the device cleanup flow on the client.
+            'key': {'userId': 1},
+            'name': 'userId_index',
+          },
         ],
       });
       _log.info('Ensured indexes for "push_notification_devices".');