test(entitlement): cover self-service and role boundaries
This commit is contained in:
@@ -167,6 +167,18 @@ Reasoning:
|
||||
- the calendar catalog is currently consumed in the web app only by the admin vacation editor, so broad authenticated reads expose internal configuration without a product need
|
||||
- narrowing just the catalog reads keeps the hardening slice small while avoiding regressions in shared holiday-resolution helpers used by vacation, timeline, and assistant flows
|
||||
|
||||
### `packages/api/src/router/entitlement.ts`
|
||||
|
||||
- `getBalance`, `getBalanceDetail`: `self-service` for the caller's own resource, with elevated cross-resource reads for controller, manager, and admin roles
|
||||
- `get`, `set`, `getYearSummary`, `getYearSummaryDetail`: `manager-write`
|
||||
- `bulkSet`: `admin-only`
|
||||
|
||||
Reasoning:
|
||||
|
||||
- regular users can inspect only their own holiday-aware balance, and the route enforces that by checking resource ownership before loading entitlement data
|
||||
- cross-resource balance reads and year summaries are operational planning and approval workflows, so they stay with controller/manager/admin audiences rather than broad authenticated access
|
||||
- bulk entitlement changes affect many users at once and should remain restricted to the smallest administrative audience
|
||||
|
||||
### `packages/api/src/router/notification.ts`
|
||||
|
||||
- `list`, `unreadCount`, `markRead`, task detail/status routes, reminder routes, and `delete`: `self-service`
|
||||
|
||||
Reference in New Issue
Block a user