Phase 3: Roles & permissions enforcement with guards, member management, and admin panel
Centralize permission checks into guards.ts (requireAuth, requireBoardView, requireBoardEditor, requireBoardOwner, requireColumnEditor, requireCardEditor, requireBoardMemberManager, requireTenantAdmin) that fetch entities and check permissions in a single call, replacing ~100 lines of duplicated inline checks across all API routes. Adds board member management (add by email, change role, remove with last-owner protection), tenant admin panel (user role toggle with last-admin protection, board overview), and fixes missing view guard on card GET. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -21,6 +21,14 @@
|
||||
|
||||
<div class="flex items-center gap-3">
|
||||
{#if data.user}
|
||||
{#if data.user.tenantRole === 'ADMIN' || data.user.globalRole === 'SITE_ADMIN'}
|
||||
<a
|
||||
href="/admin"
|
||||
class="rounded bg-white/20 px-3 py-1.5 text-sm text-white hover:bg-white/30 transition"
|
||||
>
|
||||
Admin
|
||||
</a>
|
||||
{/if}
|
||||
<span class="text-white/80 text-sm">{data.user.name}</span>
|
||||
<button
|
||||
onclick={async () => {
|
||||
|
||||
Reference in New Issue
Block a user