feat(perms): drop dead document export permissions; seed the 12 survivors via migration
offers.export/orders.export/invoices.export gated nothing on the backend (PDF routes enforce *.view); they only toggled frontend buttons and showed dead role checkboxes. Migration deletes them (+ role grants) and idempotently seeds the 12 enforced doc perms (offers/orders/invoices x view/create/edit/delete) + admin grant, so a fresh prod DB has them (closes the seed-only drift gap). Route reverts to orders.view; the 8 frontend *.export checks now use *.view. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,6 @@
|
||||
import { FastifyInstance } from "fastify";
|
||||
import prisma from "../../config/database";
|
||||
import { requireAnyPermission } from "../../middleware/auth";
|
||||
import { requirePermission } from "../../middleware/auth";
|
||||
import { parseId, success } from "../../utils/response";
|
||||
import { localDateCzStr } from "../../utils/date";
|
||||
import { htmlToPdf } from "../../utils/html-to-pdf";
|
||||
@@ -821,12 +821,11 @@ ${indentCSS}
|
||||
export default async function issuedOrdersPdfRoutes(fastify: FastifyInstance) {
|
||||
fastify.get<{ Params: { id: string } }>(
|
||||
"/:id",
|
||||
// Mirror invoices-pdf (invoices.view): view-level access serves both the
|
||||
// user-facing Export PDF and the ?save=1 NAS archive. Using requireAny so an
|
||||
// order editor (who has orders.view) can trigger archival on save without
|
||||
// also needing orders.export — otherwise the fire-and-forget archive 403s
|
||||
// silently. orders.export holders keep access too.
|
||||
{ preHandler: requireAnyPermission("orders.view", "orders.export") },
|
||||
// Mirror invoices-pdf (invoices.view): view-level access serves BOTH the
|
||||
// user-facing Export PDF and the ?save=1 NAS archive. There is no separate
|
||||
// orders.export permission (it was dead — gated nothing — and was removed);
|
||||
// orders.view is the single gate for both paths.
|
||||
{ preHandler: requirePermission("orders.view") },
|
||||
async (request, reply) => {
|
||||
const id = parseId(request.params.id, reply);
|
||||
if (id === null) return;
|
||||
|
||||
Reference in New Issue
Block a user