fix: dashboard — gate all sections by user permissions

API now only returns data sections the user has permission to see: - my_shift: attendance.record - attendance: attendance.admin - offers: offers.view - projects: projects.view - invoices: invoices.view - orders: orders.view - leave_pending: attendance.approve - recent_activity: settings.audit Frontend hides KPI cards, activity feed, and attendance sections for users without the matching permissions. Regular employees now only see their shift status, quick actions, profile, and sessions — not company KPIs or admin data. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 18:51:29 +01:00
parent a1c70ba25f
commit bcad377f92
2 changed files with 169 additions and 223 deletions
--- a/src/admin/pages/Dashboard.tsx
+++ b/src/admin/pages/Dashboard.tsx
@@ -19,7 +19,7 @@ const API_BASE = '/api/admin'
 type DashData = Record<string, any>

 export default function Dashboard() {
-  const { user, updateUser } = useAuth()
+  const { user, updateUser, hasPermission } = useAuth()
  const alert = useAlert()

  const [dashData, setDashData] = useState<DashData | null>(null)
@@ -279,8 +279,10 @@ export default function Dashboard() {
        </div>
      )}

-      {/* KPI cards */}
-      {!dashLoading && <DashKpiCards dashData={dashData} />}
+      {/* KPI cards — only show if user has any admin-level permissions */}
+      {!dashLoading && (hasPermission('offers.view') || hasPermission('invoices.view') || hasPermission('projects.view') || hasPermission('orders.view')) && (
+        <DashKpiCards dashData={dashData} />
+      )}

      {/* Quick actions */}
      {!dashLoading && (
@@ -298,9 +300,9 @@ export default function Dashboard() {
        animate={{ opacity: 1, y: 0 }}
        transition={{ duration: 0.25, delay: 0.12 }}
      >
-        <DashActivityFeed activities={dashData?.recent_activity} />
+        {hasPermission('settings.audit') && <DashActivityFeed activities={dashData?.recent_activity} />}

-        <DashAttendanceToday attendance={dashData?.attendance} />
+        {hasPermission('attendance.admin') && <DashAttendanceToday attendance={dashData?.attendance} />}

        {/* Pravy sloupec: projekty + nabidky */}
        <div className="dash-right-col">