Private
Public Access
1
0

Phase 3: Roles & permissions enforcement with guards, member management, and admin panel

Centralize permission checks into guards.ts (requireAuth, requireBoardView,
requireBoardEditor, requireBoardOwner, requireColumnEditor, requireCardEditor,
requireBoardMemberManager, requireTenantAdmin) that fetch entities and check
permissions in a single call, replacing ~100 lines of duplicated inline checks
across all API routes. Adds board member management (add by email, change role,
remove with last-owner protection), tenant admin panel (user role toggle with
last-admin protection, board overview), and fixes missing view guard on card GET.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Catherine Renelle
2026-02-25 23:13:29 -05:00
parent bd12160ebb
commit 9b5708af64
18 changed files with 747 additions and 182 deletions
+6
View File
@@ -170,6 +170,12 @@
<span class="rounded bg-gray-100 px-2 py-0.5 text-xs text-gray-500">
{data.board.visibility === 'PUBLIC' ? 'Public' : 'Private'}
</span>
<a
href="/boards/{data.board.id}/members"
class="rounded bg-gray-100 px-2 py-0.5 text-xs text-gray-500 hover:bg-gray-200 hover:text-gray-700 transition"
>
{data.board.members.length} {data.board.members.length === 1 ? 'member' : 'members'}
</a>
</div>
<!-- Columns container -->