groombook/web
13
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(GRO-2513): gate Settings nav+route to manager/super-user, eliminate groomer 403
CI / Test (pull_request) Successful in 22s
Details
CI / Lint & Typecheck (pull_request) Successful in 30s
Details
CI / Build & Push Docker Image (pull_request) Successful in 46s
Details

Browse Source 
- App.tsx AdminLayout: fetch /api/staff/me on mount, filter NAV_LINKS so
  Settings only appears for role=manager or isSuperUser (fail-closed while
  loading). Guard /admin/settings route to redirect non-managers to /admin.
- Settings.tsx: replace parallel-fire useEffects with a single sequential
  flow — fetch /api/staff/me first, then only call /api/admin/settings for
  managers/super-users and /api/admin/auth-provider for super-users only.
  Groomers/receptionists never trigger the 403.
- UAT_PLAYBOOK.md §5.14: updated with role-gated test cases (TC-WEB-5.14.1–8)
  covering manager-sees-tab, groomer-no-tab, direct-URL redirect, zero-403,
  and shared-endpoint regression.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Stockboy Steve
2026-06-25 01:56:23 +00:00
parent ddc4e3e052
commit c7b96eebc4
3 changed files with 85 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files
UAT_PLAYBOOK.md
+9 -3
View File
@@ -291,12 +291,18 @@ the seeded UAT customer (`uat-customer@groombook.dev`), not just unit-rendered.
| TC-WEB-5.13.1 | Revenue charts | Navigate to Reports | Revenue charts display with data |
| TC-WEB-5.13.2 | Utilization graphs | View reports | Staff/resource utilization graphs visible |
### 5.14 Settings UI
### 5.14 Settings UI (manager / super-user only — GRO-2513)
| # | Scenario | Steps | Expected |
|---|----------|-------|----------|
| TC-WEB-5.14.1 | Configuration page | Navigate to Settings | Settings page loads without errors |
| TC-WEB-5.14.2 | Form interactions | Modify settings, save | Settings saved successfully, changes reflected |
| TC-WEB-5.14.1 | Manager sees Settings tab | Sign in as `uat-manager`, go to `/admin` | **Settings** link is visible in the admin nav bar |
| TC-WEB-5.14.2 | Manager loads Settings page (200, no 403) | Click **Settings** in the nav | Page loads with Branding & Appearance form; DevTools → Network shows `GET /api/admin/settings`**200**. Zero 403 responses anywhere in the Network tab. |
| TC-WEB-5.14.3 | Manager can save branding | Modify Business Name, click Save | `PATCH /api/admin/settings` → 200; success message shown |
| TC-WEB-5.14.4 | Super-user sees auth-provider section | Sign in as a super-user, navigate to Settings | Auth provider config section is visible below Branding |
| TC-WEB-5.14.5 | Groomer does NOT see Settings tab | Sign in as `uat-groomer`, go to `/admin` | **Settings** link is **absent** from the nav bar. Network panel shows zero requests to `/api/admin/settings`. |
| TC-WEB-5.14.6 | Groomer navigating directly to `/admin/settings` is redirected | While signed in as `uat-groomer`, navigate to `https://uat.groombook.dev/admin/settings` | Browser redirects to `/admin` (Appointments page). No 403 error in Network tab, no error UI. |
| TC-WEB-5.14.7 | Receptionist does NOT see Settings tab | Sign in as `uat-receptionist` (if seeded), go to `/admin` | **Settings** link is **absent** from the nav bar. Network panel shows zero requests to `/api/admin/settings`. |
| TC-WEB-5.14.8 | Shared staff endpoints still work for groomer | Sign in as `uat-groomer` and navigate through Appointments, Clients, Staff pages | All return 200. No 403 on any shared endpoint. |
### 5.15 Navigation