Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(vacation): scope preview requests to owned resources

Browse Source
This commit is contained in:
Hartmut Nörenberg
2026-03-30 12:07:26 +02:00
parent 6a6e98b5f7
commit c7434c968e
4 changed files with 180 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/route-access-matrix.md
+13
View File
@@ -179,6 +179,19 @@ Reasoning:
- cross-resource balance reads and year summaries are operational planning and approval workflows, so they stay with controller/manager/admin audiences rather than broad authenticated access
- bulk entitlement changes affect many users at once and should remain restricted to the smallest administrative audience
### `packages/api/src/router/vacation.ts`
- `previewRequest`, `list`, `getById`, `getForResource`, `getTeamOverlap`, `getTeamOverlapDetail`, `cancel`: `self-service` for the caller's own resource, with elevated cross-resource reads for manager and admin roles
- `create`: `self-service` for the caller's own resource, with elevated creation for manager and admin roles
- `approve`, `reject`, `getPendingApprovals`, `updateStatus` approval paths: `manager-write`
- `batchCreatePublicHolidays`: `admin-only`
Reasoning:
- the employee-facing vacation flows are valid self-service features, but they must not reveal holiday context, overlap data, or request details for arbitrary resources
- manager and admin roles already handle approval and operational cross-resource workflows, so they retain broader access where the route logic explicitly allows it
- bulk public-holiday generation changes organization-wide absence data and therefore belongs to the smallest administrative audience
### `packages/api/src/router/notification.ts`
- `list`, `unreadCount`, `markRead`, task detail/status routes, reminder routes, and `delete`: `self-service`