This repository has been archived on 2026-05-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.

Barkley Trimsworth 93f1cfef1f fix: allow groomer and receptionist roles to read staff records ...

GRO-162: Groomer role was blocked from GET /api/staff with 403 because
the /staff/* route guard required "manager" role for all HTTP methods.

Changed the guard to only require "manager" for write operations
(POST/PUT/PATCH/DELETE), matching the pattern used for /clients and
/appointments where all roles can read but only managers (or managers
+ receptionists) can write.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-03-28 20:24:22 +00:00

..

__tests__

fix(auth): dev login resolve staff by id, not userId

2026-03-28 01:47:07 +00:00

lib

fix(api): validate BETTER_AUTH_SECRET and fix lockfile specifier (GRO-118)

2026-03-27 21:38:25 +00:00

middleware

fix(rbac): fallback lookup for staff records predating Better-Auth userId

2026-03-28 01:48:25 +00:00

routes

fix(rbac): fallback lookup for staff records predating Better-Auth userId

2026-03-28 01:48:25 +00:00

services

fix(gro-38): prod/demo auth and API-based seed (#117)

2026-03-26 20:51:08 +00:00

index.ts

fix: allow groomer and receptionist roles to read staff records

2026-03-28 20:24:22 +00:00