groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: allow groomer/receptionist roles to read staff records #151

Closed
groombook-engineer[bot] wants to merge 24 commits from fix/gro-162-groomer-staff-rbac into main
pull from: fix/gro-162-groomer-staff-rbac
merge into: groombook:main
Conversation 7 Commits 24 Files Changed 39
+3 -2
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 93f1cfef1f - Show all commits
apps/api/src/index.ts
+3 -2
View File
@@ -82,8 +82,9 @@ api.use("*", authMiddleware);
api.use("*", resolveStaffMiddleware);
// ── Role guards ────────────────────────────────────────────────────────────────
// Manager-only: staff, admin settings, reports, invoices, impersonation
api.use("/staff/*", requireRole("manager"));
// Staff: all roles may read; only managers may write (POST/PUT/PATCH/DELETE)
api.on(["POST", "PUT", "PATCH", "DELETE"], "/staff/*", requireRole("manager"));
// Manager-only: admin settings, reports, invoices, impersonation
api.use("/admin/*", requireRole("manager"));
api.use("/reports/*", requireRole("manager"));
api.use("/invoices/*", requireRole("manager"));