fix(blueprint): require planning access for detailed reads
This commit is contained in:
@@ -146,16 +146,15 @@ Reasoning:
|
||||
|
||||
### `packages/api/src/router/blueprint.ts`
|
||||
|
||||
- `listSummaries`: `planning-read`
|
||||
- `listSummaries`, `list`, `getById`, `getByIdentifier`: `planning-read`
|
||||
- `resolveByIdentifier`: `authenticated-safe-lookup`
|
||||
- remaining reads stay unchanged in this rollout
|
||||
- create, update, delete, global-flag writes: `admin-only`
|
||||
|
||||
Reasoning:
|
||||
|
||||
- `listSummaries` exposes `_count.projects`, so the assistant-facing summary list should not remain a broad authenticated read
|
||||
- `resolveByIdentifier` already returns a narrow lookup shape suitable for low-risk name/id resolution
|
||||
- broader blueprint read routes still support existing UI flows and need a separate follow-up slice before they can be tightened safely
|
||||
- the broader blueprint reads expose full template configuration such as field definitions, defaults, and validation rules that belong to planning workflows rather than generic authenticated access
|
||||
|
||||
### `packages/api/src/router/holiday-calendar.ts`
|
||||
|
||||
|
||||
Reference in New Issue
Block a user