feat(client): scope planning reads to explicit audience

2026-03-30 10:24:52 +02:00
parent 2b514ea962
commit ae74700f7c
5 changed files with 206 additions and 5 deletions
@@ -3,7 +3,13 @@ import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { findUniqueOrThrow } from "../db/helpers.js";
 import { createAuditEntry } from "../lib/audit.js";
-import { adminProcedure, createTRPCRouter, managerProcedure, protectedProcedure } from "../trpc.js";
+import {
+  adminProcedure,
+  createTRPCRouter,
+  managerProcedure,
+  planningReadProcedure,
+  protectedProcedure,
+} from "../trpc.js";

 import type { ClientTree } from "@capakraken/shared";

@@ -30,7 +36,7 @@ function buildClientTree(flatItems: FlatClient[], parentId: string | null = null
 }

 export const clientRouter = createTRPCRouter({
-  list: protectedProcedure
+  list: planningReadProcedure
    .input(
      z.object({
        parentId: z.string().nullable().optional(),
@@ -57,7 +63,7 @@ export const clientRouter = createTRPCRouter({
      });
    }),

-  getTree: protectedProcedure
+  getTree: planningReadProcedure
    .input(z.object({ isActive: z.boolean().optional() }).optional())
    .query(async ({ ctx, input }) => {
      const all = await ctx.db.client.findMany({
@@ -69,7 +75,7 @@ export const clientRouter = createTRPCRouter({
      return buildClientTree(all);
    }),

-  getById: protectedProcedure
+  getById: planningReadProcedure
    .input(z.object({ id: z.string() }))
    .query(async ({ ctx, input }) => {
      const client = await findUniqueOrThrow(
@@ -136,7 +142,7 @@ export const clientRouter = createTRPCRouter({
      return client;
    }),

-  getByIdentifier: protectedProcedure
+  getByIdentifier: planningReadProcedure
    .input(z.object({ identifier: z.string().trim().min(1) }))
    .query(async ({ ctx, input }) => {
      const identifier = input.identifier.trim();