Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(blueprint): require planning access for global field defs

Browse Source
This commit is contained in:
Hartmut Nörenberg
2026-03-30 12:18:59 +02:00
parent 649c8feb22
commit c9a35452dc
3 changed files with 80 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/route-access-matrix.md
+2 -1
View File
@@ -146,7 +146,7 @@ Reasoning:
### `packages/api/src/router/blueprint.ts`
- `listSummaries`, `list`, `getById`, `getByIdentifier`: `planning-read`
- `listSummaries`, `list`, `getById`, `getByIdentifier`, `getGlobalFieldDefs`: `planning-read`
- `resolveByIdentifier`: `authenticated-safe-lookup`
- create, update, delete, global-flag writes: `admin-only`
@@ -155,6 +155,7 @@ Reasoning:
- `listSummaries` exposes `_count.projects`, so the assistant-facing summary list should not remain a broad authenticated read
- `resolveByIdentifier` already returns a narrow lookup shape suitable for low-risk name/id resolution
- the broader blueprint reads expose full template configuration such as field definitions, defaults, and validation rules that belong to planning workflows rather than generic authenticated access
- `getGlobalFieldDefs` aggregates active global field definitions across blueprints, so it belongs with the same planning configuration audience rather than a broad authenticated read
### `packages/api/src/router/holiday-calendar.ts`