feat(staff): super user grant/revoke UI with last-user guardrail

Backend: - GET /api/staff/me — returns current staff record (includes isSuperUser) - PATCH /api/staff/:id — accepts optional isSuperUser boolean; only super users can change this field; last-super-user guardrail prevents revoking the only active super user - PATCH /api/staff/:id (active=false) — guardrail prevents deactivating the last active super user - DELETE /api/staff/:id — guardrail prevents deleting the last active super user Frontend (Staff.tsx): - Fetches current user via GET /api/staff/me to determine isSuperUser - Shows ★ Super User badge for super user staff rows - Super user sees "+ Grant" button on non-super-user rows - Super user sees "Revoke" toggle on super-user rows (disabled if last one) - Deactivate button disabled for the last active super user - Error message displayed when backend guardrail triggers GRO-206 Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-29 07:29:35 +00:00
parent 8de0a00a2b
commit e3c5ebb337
2 changed files with 144 additions and 5 deletions
@@ -15,7 +15,18 @@ const createStaffSchema = z.object({
  active: z.boolean().default(true),
 });

-const updateStaffSchema = createStaffSchema.partial().omit({ email: true });
+const updateStaffSchema = z.object({
+  name: z.string().min(1).max(200).optional(),
+  role: z.enum(["groomer", "receptionist", "manager"]).optional(),
+  active: z.boolean().optional(),
+  isSuperUser: z.boolean().optional(),
+  oidcSub: z.string().optional(),
+});
+
+staffRouter.get("/me", async (c) => {
+  const staffRow = c.get("staff");
+  return c.json(staffRow);
+});

 staffRouter.get("/", async (c) => {
  const db = getDb();
@@ -45,11 +56,57 @@ staffRouter.post("/", zValidator("json", createStaffSchema), async (c) => {

 staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => {
  const db = getDb();
+  const currentStaff = c.get("staff");
  const body = c.req.valid("json");
+  const targetId = c.req.param("id");
+
+  // Only super users can change isSuperUser
+  if (body.isSuperUser !== undefined && !currentStaff.isSuperUser) {
+    return c.json({ error: "Forbidden: super user privileges required to modify super user status" }, 403);
+  }
+
+  // Before revoking super user, check if this is the last one
+  if (body.isSuperUser === false) {
+    const superUserCount = await db
+      .select({ id: staff.id })
+      .from(staff)
+      .where(and(eq(staff.isSuperUser, true), eq(staff.active, true)))
+      .limit(2);
+    // If only 1 or 0 active super users and the target is one of them, block revoke
+    if (superUserCount.length <= 1) {
+      return c.json(
+        { error: "Cannot revoke the last super user. Assign another super user first." },
+        400
+      );
+    }
+  }
+
+  // When deactivating a super user, also check last-super-user guardrail
+  if (body.active === false) {
+    const [target] = await db
+      .select({ isSuperUser: staff.isSuperUser })
+      .from(staff)
+      .where(eq(staff.id, targetId))
+      .limit(1);
+    if (target?.isSuperUser) {
+      const superUserCount = await db
+        .select({ id: staff.id })
+        .from(staff)
+        .where(and(eq(staff.isSuperUser, true), eq(staff.active, true)))
+        .limit(2);
+      if (superUserCount.length <= 1) {
+        return c.json(
+          { error: "Cannot deactivate the last super user. Assign another super user first." },
+          400
+        );
+      }
+    }
+  }
+
  const [row] = await db
    .update(staff)
    .set({ ...body, updatedAt: new Date() })
-    .where(eq(staff.id, c.req.param("id")))
+    .where(eq(staff.id, targetId))
    .returning();
  if (!row) return c.json({ error: "Not found" }, 404);
  return c.json(row);
@@ -81,6 +138,26 @@ staffRouter.delete("/:id", async (c) => {
    );
  }

+  // Prevent deleting the last super user
+  const [targetStaff] = await db
+    .select({ isSuperUser: staff.isSuperUser })
+    .from(staff)
+    .where(eq(staff.id, id))
+    .limit(1);
+  if (targetStaff?.isSuperUser) {
+    const superUserCount = await db
+      .select({ id: staff.id })
+      .from(staff)
+      .where(and(eq(staff.isSuperUser, true), eq(staff.active, true)))
+      .limit(2);
+    if (superUserCount.length <= 1) {
+      return c.json(
+        { error: "Cannot delete the last super user. Assign another super user first." },
+        400
+      );
+    }
+  }
+
  const [row] = await db
    .delete(staff)
    .where(eq(staff.id, id))