Private
Public Access
1
0

Phase 3: Roles & permissions enforcement with guards, member management, and admin panel

Centralize permission checks into guards.ts (requireAuth, requireBoardView,
requireBoardEditor, requireBoardOwner, requireColumnEditor, requireCardEditor,
requireBoardMemberManager, requireTenantAdmin) that fetch entities and check
permissions in a single call, replacing ~100 lines of duplicated inline checks
across all API routes. Adds board member management (add by email, change role,
remove with last-owner protection), tenant admin panel (user role toggle with
last-admin protection, board overview), and fixes missing view guard on card GET.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Catherine Renelle
2026-02-25 23:13:29 -05:00
parent bd12160ebb
commit 9b5708af64
18 changed files with 747 additions and 182 deletions
+8
View File
@@ -21,6 +21,14 @@
<div class="flex items-center gap-3">
{#if data.user}
{#if data.user.tenantRole === 'ADMIN' || data.user.globalRole === 'SITE_ADMIN'}
<a
href="/admin"
class="rounded bg-white/20 px-3 py-1.5 text-sm text-white hover:bg-white/30 transition"
>
Admin
</a>
{/if}
<span class="text-white/80 text-sm">{data.user.name}</span>
<button
onclick={async () => {