feat(perms): drop dead document export permissions; seed the 12 survivors via migration

offers.export/orders.export/invoices.export gated nothing on the backend (PDF
routes enforce *.view); they only toggled frontend buttons and showed dead
role checkboxes. Migration deletes them (+ role grants) and idempotently seeds
the 12 enforced doc perms (offers/orders/invoices x view/create/edit/delete) +
admin grant, so a fresh prod DB has them (closes the seed-only drift gap).
Route reverts to orders.view; the 8 frontend *.export checks now use *.view.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-06-09 21:19:38 +02:00
parent 3268cf2100
commit d445384408
10 changed files with 76 additions and 34 deletions

View File

@@ -1,6 +1,6 @@
import { FastifyInstance } from "fastify";
import prisma from "../../config/database";
import { requireAnyPermission } from "../../middleware/auth";
import { requirePermission } from "../../middleware/auth";
import { parseId, success } from "../../utils/response";
import { localDateCzStr } from "../../utils/date";
import { htmlToPdf } from "../../utils/html-to-pdf";
@@ -821,12 +821,11 @@ ${indentCSS}
export default async function issuedOrdersPdfRoutes(fastify: FastifyInstance) {
fastify.get<{ Params: { id: string } }>(
"/:id",
// Mirror invoices-pdf (invoices.view): view-level access serves both the
// user-facing Export PDF and the ?save=1 NAS archive. Using requireAny so an
// order editor (who has orders.view) can trigger archival on save without
// also needing orders.export — otherwise the fire-and-forget archive 403s
// silently. orders.export holders keep access too.
{ preHandler: requireAnyPermission("orders.view", "orders.export") },
// Mirror invoices-pdf (invoices.view): view-level access serves BOTH the
// user-facing Export PDF and the ?save=1 NAS archive. There is no separate
// orders.export permission (it was dead — gated nothing — and was removed);
// orders.view is the single gate for both paths.
{ preHandler: requirePermission("orders.view") },
async (request, reply) => {
const id = parseId(request.params.id, reply);
if (id === null) return;