quikcue/calvana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Role-based access control: guards on all critical APIs + redirects

Browse Source 
INTEGRATION AUDIT — Fixed all gaps:

1. LOGIN REDIRECT
   - Community leaders → /dashboard/community (not /dashboard)
   - Fetches session after login to check role before redirect
   - Auth0 callback still goes to /dashboard (handled by #2)

2. DASHBOARD HOME REDIRECT
   - If role === community_leader or volunteer → router.replace(/community)
   - Prevents them from seeing the admin home page

3. API ROLE GUARDS (server-side)
   New: src/lib/roles.ts — permission matrix:
   - settings.write: super_admin, org_admin only
   - pledges.write: super_admin, org_admin only (status changes)
   - events.create: super_admin, org_admin only
   - imports.upload: super_admin, org_admin only (bank statements)
   - links.create: super_admin, org_admin, community_leader (they can create)
   - pledges.read: everyone except volunteer
   - dashboard.read: everyone except volunteer

   New: requirePermission() in session.ts
   Applied to:
   - PATCH /api/settings → settings.write
   - PUT /api/settings → settings.write
   - PATCH /api/pledges/[id] → pledges.write
   - POST /api/events → events.create
   - POST /api/imports/bank-statement → imports.upload

   Community leader attempting these gets 403 'Admin access required'

4. LAYOUT NAV (already done in previous commit)
   - community_leader sees: My Community, Share Links, Reports
   - No Money, No Settings, No 'New Appeal' button

WHAT COMMUNITY LEADER CAN DO:
✓ View /dashboard/community (their scoped dashboard)
✓ View /dashboard/collect (share links — they can create new links)
✓ View /dashboard/reports (financial summary)
✓ Create QR sources / links (POST /api/events/[id]/qr)
✓ Read pledges and dashboard data

WHAT COMMUNITY LEADER CANNOT DO:
✗ Change pledge statuses (PATCH /api/pledges/[id] → 403)
✗ Change settings (PATCH/PUT /api/settings → 403)
✗ Create appeals (POST /api/events → 403)
✗ Upload bank statements (POST /api/imports/bank-statement → 403)
✗ Manage team (POST/PATCH/DELETE /api/team → 403, already guarded)
✗ See /dashboard/money, /dashboard/settings (not in nav, home redirects)
This commit is contained in:
Omair Saleh
2026-03-04 21:58:25 +08:00
parent b771858280
commit b477dc30d1
9 changed files with 144 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pledge-now-pay-later/src/app/api/settings/route.ts
View File

@@ -1,6 +1,6 @@
import { NextRequest, NextResponse } from "next/server"
import prisma from "@/lib/prisma"
import { getOrgId } from "@/lib/session"
import { getOrgId, requirePermission } from "@/lib/session"
export async function GET(request: NextRequest) {
try {
@@ -36,6 +36,8 @@ export async function GET(request: NextRequest) {
export async function PUT(request: NextRequest) {
try {
if (!prisma) return NextResponse.json({ error: "DB not configured" }, { status: 503 })
const allowed = await requirePermission("settings.write")
if (!allowed) return NextResponse.json({ error: "Admin access required" }, { status: 403 })
const body = await request.json()
@@ -77,6 +79,8 @@ export async function PUT(request: NextRequest) {
export async function PATCH(request: NextRequest) {
try {
if (!prisma) return NextResponse.json({ error: "DB not configured" }, { status: 503 })
const allowed = await requirePermission("settings.write")
if (!allowed) return NextResponse.json({ error: "Admin access required" }, { status: 403 })
const orgId = await getOrgId(request.headers.get("x-org-id"))
if (!orgId) return NextResponse.json({ error: "Org not found" }, { status: 404 })