fix(rbac): allow all staff roles to READ /api/staff
GRO-156 follow-up: RBAC middleware was blocking groomer/receptionist from GET /api/staff. The QA review found 403 with "role groomer is not permitted" after PR #140 deployment. Fix: split the /staff/* guard — GET requests allow all roles (groomer, receptionist, manager); write operations remain manager-only. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Flea Flicker
@@ -82,7 +82,9 @@ api.use("*", authMiddleware);
|
|||||||
api.use("*", resolveStaffMiddleware);
|
api.use("*", resolveStaffMiddleware);
|
||||||
|
|
||||||
// ── Role guards ────────────────────────────────────────────────────────────────
|
// ── Role guards ────────────────────────────────────────────────────────────────
|
||||||
// Manager-only: staff, admin settings, reports, invoices, impersonation
|
// Manager-only: admin settings, reports, invoices, impersonation
|
||||||
|
// Staff CRUD: all roles may READ; manager-only for CREATE/UPDATE/DELETE
|
||||||
|
api.on(["GET"], "/staff/*", requireRole("manager", "receptionist", "groomer"));
|
||||||
api.use("/staff/*", requireRole("manager"));
|
api.use("/staff/*", requireRole("manager"));
|
||||||
api.use("/admin/*", requireRole("manager"));
|
api.use("/admin/*", requireRole("manager"));
|
||||||
api.use("/reports/*", requireRole("manager"));
|
api.use("/reports/*", requireRole("manager"));
|
||||||
|
|||||||
Reference in New Issue
Block a user