From c143aec2b508ff490f8c6fc546bdd02890b896c9 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@paperclip.ing>
Date: Sat, 28 Mar 2026 03:15:07 +0000
Subject: [PATCH] fix(rbac): allow all staff roles to READ /api/staff
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GRO-156 follow-up: RBAC middleware was blocking groomer/receptionist
from GET /api/staff. The QA review found 403 with "role groomer is not
permitted" after PR #140 deployment.

Fix: split the /staff/* guard — GET requests allow all roles
(groomer, receptionist, manager); write operations remain manager-only.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/index.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 850058b..d1820f5 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -82,7 +82,9 @@ api.use("*", authMiddleware);
 api.use("*", resolveStaffMiddleware);
 
 // ── Role guards ────────────────────────────────────────────────────────────────
-// Manager-only: staff, admin settings, reports, invoices, impersonation
+// Manager-only: admin settings, reports, invoices, impersonation
+// Staff CRUD: all roles may READ; manager-only for CREATE/UPDATE/DELETE
+api.on(["GET"], "/staff/*", requireRole("manager", "receptionist", "groomer"));
 api.use("/staff/*", requireRole("manager"));
 api.use("/admin/*", requireRole("manager"));
 api.use("/reports/*", requireRole("manager"));