feat(auth): introduce explicit planning read permission
This commit is contained in:
@@ -8,7 +8,7 @@
|
||||
- `self-service`: authenticated users can only read or mutate data that belongs to their linked resource or account
|
||||
- `authenticated-safe-lookup`: authenticated users can access a deliberately narrow, identity-safe lookup surface
|
||||
- `resource-overview`: users with `viewAllResources` or `manageResources`
|
||||
- `planning-read`: users with at least one of `viewCosts`, `manageProjects`, or `manageAllocations`
|
||||
- `planning-read`: users with `viewPlanning`
|
||||
- `controller-finance`: controller, manager, or admin through `controllerProcedure`
|
||||
- `manager-write`: manager or admin through `managerProcedure`
|
||||
- `admin-only`: admin through `adminProcedure`
|
||||
@@ -49,6 +49,6 @@
|
||||
|
||||
## Immediate Follow-Ups
|
||||
|
||||
- introduce a dedicated project-read permission instead of the current interim `planning-read` composite
|
||||
- monitor whether `viewPlanning` should later split into narrower project-read vs allocation-read audiences
|
||||
- split `allocation` further into narrower future audiences where resource-capacity and staffing-demand reads diverge
|
||||
- add authorization tests for every route listed above so the matrix is CI-enforced, not just documented
|
||||
|
||||
Reference in New Issue
Block a user