feat(management-level): scope reads to planning audience
This commit is contained in:
@@ -125,6 +125,16 @@ Reasoning:
|
||||
- the categories feed project configuration and planning/reporting workflows instead of broad self-service screens
|
||||
- `getById` includes `_count.projects`, so the detailed read should not remain a generic authenticated route
|
||||
|
||||
### `packages/api/src/router/management-level.ts`
|
||||
|
||||
- `listGroups`, `getGroupById`: `planning-read`
|
||||
- create, update, delete: `admin-only`
|
||||
|
||||
Reasoning:
|
||||
|
||||
- management-level groups carry chargeability targets and resource-linked counts that feed planning and reporting workflows, so they should not stay on broad authenticated reads
|
||||
- the list is consumed by resource editing, reporting filters, and admin configuration, which all fit the explicit planning audience better than generic `protectedProcedure`
|
||||
|
||||
### `packages/api/src/router/holiday-calendar.ts`
|
||||
|
||||
- `listCalendars`, `listCalendarsDetail`, `getCalendarByIdentifier`, `getCalendarByIdentifierDetail`, `getCalendarById`: `admin-only`
|
||||
|
||||
Reference in New Issue
Block a user