feat(holiday-calendar): restrict catalog reads to admins
This commit is contained in:
@@ -125,6 +125,17 @@ Reasoning:
|
||||
- the categories feed project configuration and planning/reporting workflows instead of broad self-service screens
|
||||
- `getById` includes `_count.projects`, so the detailed read should not remain a generic authenticated route
|
||||
|
||||
### `packages/api/src/router/holiday-calendar.ts`
|
||||
|
||||
- `listCalendars`, `listCalendarsDetail`, `getCalendarByIdentifier`, `getCalendarByIdentifierDetail`, `getCalendarById`: `admin-only`
|
||||
- create, update, delete calendar and entry mutations: `admin-only`
|
||||
- holiday resolution and preview helpers remain unchanged in this rollout
|
||||
|
||||
Reasoning:
|
||||
|
||||
- the calendar catalog is currently consumed in the web app only by the admin vacation editor, so broad authenticated reads expose internal configuration without a product need
|
||||
- narrowing just the catalog reads keeps the hardening slice small while avoiding regressions in shared holiday-resolution helpers used by vacation, timeline, and assistant flows
|
||||
|
||||
## Assistant Parity Rule
|
||||
|
||||
- assistant tool visibility must never widen the audience of the backing router
|
||||
|
||||
Reference in New Issue
Block a user