feat(auth): tighten allocation read audiences
This commit is contained in:
@@ -40,7 +40,7 @@
|
||||
|
||||
### `packages/api/src/router/allocation.ts`
|
||||
|
||||
- broad planning and staffing reads should move from generic `protectedProcedure` to explicit `planning-read` or narrower follow-up audiences
|
||||
- `list`, `listView`, `listDemands`, `listAssignments`, `getAssignmentById`, `resolveAssignment`, `getDemandRequirementById`, `checkResourceAvailability`, `getResourceAvailabilityView`, `getResourceAvailabilitySummary`: `planning-read`
|
||||
- mutations already sit behind `manager-write`
|
||||
|
||||
### `packages/api/src/router/dashboard.ts`
|
||||
@@ -49,6 +49,6 @@
|
||||
|
||||
## Immediate Follow-Ups
|
||||
|
||||
- reclassify `allocation` read endpoints away from generic `protectedProcedure`
|
||||
- introduce a dedicated project-read permission instead of the current interim `planning-read` composite
|
||||
- split `allocation` further into narrower future audiences where resource-capacity and staffing-demand reads diverge
|
||||
- add authorization tests for every route listed above so the matrix is CI-enforced, not just documented
|
||||
|
||||
Reference in New Issue
Block a user