groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: allow groomer and receptionist roles to read staff records

Browse Source 
GRO-162: Groomer role was blocked from GET /api/staff with 403 because
the /staff/* route guard required "manager" role for all HTTP methods.

Changed the guard to only require "manager" for write operations
(POST/PUT/PATCH/DELETE), matching the pattern used for /clients and
/appointments where all roles can read but only managers (or managers
+ receptionists) can write.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Barkley Trimsworth
2026-03-28 20:24:22 +00:00
parent 6cc8bad1a5
commit 93f1cfef1f
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/index.ts
+3 -2
View File
@@ -82,8 +82,9 @@ api.use("*", authMiddleware);
api.use("*", resolveStaffMiddleware);
// ── Role guards ────────────────────────────────────────────────────────────────
// Manager-only: staff, admin settings, reports, invoices, impersonation
api.use("/staff/*", requireRole("manager"));
// Staff: all roles may read; only managers may write (POST/PUT/PATCH/DELETE)
api.on(["POST", "PUT", "PATCH", "DELETE"], "/staff/*", requireRole("manager"));
// Manager-only: admin settings, reports, invoices, impersonation
api.use("/admin/*", requireRole("manager"));
api.use("/reports/*", requireRole("manager"));
api.use("/invoices/*", requireRole("manager"));