From 93f1cfef1f5f48efa588be17fd707c128ba88110 Mon Sep 17 00:00:00 2001
From: Barkley Trimsworth <barkley@groombook.farh.net>
Date: Sat, 28 Mar 2026 20:24:22 +0000
Subject: [PATCH] fix: allow groomer and receptionist roles to read staff
 records

GRO-162: Groomer role was blocked from GET /api/staff with 403 because
the /staff/* route guard required "manager" role for all HTTP methods.

Changed the guard to only require "manager" for write operations
(POST/PUT/PATCH/DELETE), matching the pattern used for /clients and
/appointments where all roles can read but only managers (or managers
+ receptionists) can write.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/index.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 850058b..275c797 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -82,8 +82,9 @@ api.use("*", authMiddleware);
 api.use("*", resolveStaffMiddleware);
 
 // ── Role guards ────────────────────────────────────────────────────────────────
-// Manager-only: staff, admin settings, reports, invoices, impersonation
-api.use("/staff/*", requireRole("manager"));
+// Staff: all roles may read; only managers may write (POST/PUT/PATCH/DELETE)
+api.on(["POST", "PUT", "PATCH", "DELETE"], "/staff/*", requireRole("manager"));
+// Manager-only: admin settings, reports, invoices, impersonation
 api.use("/admin/*", requireRole("manager"));
 api.use("/reports/*", requireRole("manager"));
 api.use("/invoices/*", requireRole("manager"));