fix: allow groomer/receptionist roles to read staff records #151
@@ -82,8 +82,9 @@ api.use("*", authMiddleware);
|
|||||||
api.use("*", resolveStaffMiddleware);
|
api.use("*", resolveStaffMiddleware);
|
||||||
|
|
||||||
// ── Role guards ────────────────────────────────────────────────────────────────
|
// ── Role guards ────────────────────────────────────────────────────────────────
|
||||||
// Manager-only: staff, admin settings, reports, invoices, impersonation
|
// Staff: all roles may read; only managers may write (POST/PUT/PATCH/DELETE)
|
||||||
api.use("/staff/*", requireRole("manager"));
|
api.on(["POST", "PUT", "PATCH", "DELETE"], "/staff/*", requireRole("manager"));
|
||||||
|
// Manager-only: admin settings, reports, invoices, impersonation
|
||||||
api.use("/admin/*", requireRole("manager"));
|
api.use("/admin/*", requireRole("manager"));
|
||||||
api.use("/reports/*", requireRole("manager"));
|
api.use("/reports/*", requireRole("manager"));
|
||||||
api.use("/invoices/*", requireRole("manager"));
|
api.use("/invoices/*", requireRole("manager"));
|
||||||
|
|||||||
Reference in New Issue
Block a user