fix(api): enforce requireSuperUser on settings PATCH and fix dev-mode auth bypass #206

Merged

groombook-engineer[bot] merged 2 commits from fix/gro-263-dev-login-session-switch into main

2026-04-02 12:57:56 +00:00

Author	SHA1	Message	Date
groombook-engineer[bot]	01b090f258	fix(api): remove dead code in rbac test Remove unused `app` variable from 'returns 403 when staff record is not resolved' test - the test uses `testApp` instead. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-02 11:27:14 +00:00
groombook-engineer[bot]	804bb474d2	fix(api): enforce requireSuperUser on settings PATCH and fix dev-mode auth bypass - Add requireSuperUser() middleware to PATCH /api/admin/settings route to ensure only super users can modify business settings - Fix dev-mode (AUTH_DISABLED=true) force-set of isSuperUser:true for all staff records in resolveStaffMiddleware. Now preserves actual database value with isSuperUser ?? false fallback. This prevents non-super-users (e.g., receptionists) from bypassing RBAC checks in dev mode. - Fix test data: RECEPTIONIST and GROOMER now correctly have isSuperUser: false (was incorrectly inheriting true from MANAGER) - Add 7 new tests for requireSuperUser middleware covering: - Super user access allowed - Non-super-user receptionist blocked with 403 - Non-super-user groomer blocked with 403 - Unresolved staff record returns 403 - Receptionist cannot grant super user via PATCH - JSON error response format Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-02 10:50:55 +00:00

Author

SHA1

Message

Date

groombook-engineer[bot]

01b090f258

fix(api): remove dead code in rbac test

Remove unused `app` variable from 'returns 403 when staff record is
not resolved' test - the test uses `testApp` instead.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-04-02 11:27:14 +00:00

groombook-engineer[bot]

804bb474d2

fix(api): enforce requireSuperUser on settings PATCH and fix dev-mode auth bypass

- Add requireSuperUser() middleware to PATCH /api/admin/settings route
  to ensure only super users can modify business settings

- Fix dev-mode (AUTH_DISABLED=true) force-set of isSuperUser:true
  for all staff records in resolveStaffMiddleware. Now preserves
  actual database value with isSuperUser ?? false fallback.
  This prevents non-super-users (e.g., receptionists) from
  bypassing RBAC checks in dev mode.

- Fix test data: RECEPTIONIST and GROOMER now correctly have
  isSuperUser: false (was incorrectly inheriting true from MANAGER)

- Add 7 new tests for requireSuperUser middleware covering:
  - Super user access allowed
  - Non-super-user receptionist blocked with 403
  - Non-super-user groomer blocked with 403
  - Unresolved staff record returns 403
  - Receptionist cannot grant super user via PATCH
  - JSON error response format

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-04-02 10:50:55 +00:00

fix(api): enforce requireSuperUser on settings PATCH and fix dev-mode auth bypass #206

2 Commits