dow-prod-tracker

Oliver/dow-prod-tracker

Fork 0

Commit graph

Author	SHA1	Message	Date
DJP	d953cee7ad	Phase 2: per-client-team visibility enforcement - New src/lib/rbac/visibility.ts: visibleProjectsWhere/Deliverables/Stages helpers + assertProjectVisible. ADMIN bypasses; empty team memberships fail-closed (user sees nothing). Reads from session cache, falls back to DB lookup. - Session callback now populates clientTeamIds + isExternal on session.user so downstream queries don't hit the DB per request. - next-auth.d.ts: Session.user extended with clientTeamIds + isExternal. - AuthSession type mirrors the same. - require-auth: added visibilityContextFromSession(session) helper so API routes can construct a VisibilityContext in one line. - CLIENT_VIEWER role entry added to DEFAULT_PERMISSIONS (read + comments). Services wired with visibility (32 query sites across 9 files): - project-service: list/get AND'd with visibleProjectsWhere; update/delete pre-gate via assertProjectVisible. - deliverable-service: list/get/create/bulkCreate gate on parent project visibility; update/delete pre-check via parent project lookup. - stage-service: getBlockedStages AND's stage visibility; bulk/updateStageStatus pre-gate via parent project. - dashboard-service: all 6 groupBy/findMany queries AND'd with visibility. - workload-service: pulls project.clientTeamId and post-filters assignments (nested include can't be filtered cleanly at DB level). - calendar-service: now takes organizationId + ctx; AND's org + visibility into the stage findMany. - weekly-report-service: 6 parallel queries AND'd with visibility fragments. - semantic-search-service: Prisma queries AND'd; raw SQL vectorSearch appends `AND p."clientTeamId" = ANY($N::text[])` for non-admins, returns empty early when scoped user has no team memberships. - assignment-service: assignUserToStage pre-gates project visibility; getMyWork filters rows by client-team membership; bulkAssignArtists skips stages not visible to caller. API routes updated to pass visibility context (13 routes): /api/projects, /api/projects/[id], /api/projects/[id]/deliverables, /api/projects/[id]/deliverables/[id], /api/stages/[id], /api/stages/[id]/assignments, /api/dashboard/stats, /api/my-work, /api/calendar, /api/reports/weekly, /api/workload, /api/search/semantic, /api/chat/route (chat tool-executor threads ctx through all 20 tool handlers via executeTool context param). Verified: npx tsc --noEmit ✓ zero errors. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-20 18:50:00 -04:00
Leivur R. Djurhuus	b4ae910cf5	Add Auth.js v5 with Google + Microsoft Entra ID SSO - NextAuth config with PrismaAdapter, database sessions - Session callback enriches with role + organizationId - Login page with Google and Microsoft sign-in buttons - Cookie-based middleware for auth protection (Edge-compatible) - Type augmentation for session user fields Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-28 21:07:38 -06:00

Author

SHA1

Message

Date

DJP

d953cee7ad

Phase 2: per-client-team visibility enforcement

- New src/lib/rbac/visibility.ts: visibleProjectsWhere/Deliverables/Stages
  helpers + assertProjectVisible. ADMIN bypasses; empty team memberships
  fail-closed (user sees nothing). Reads from session cache, falls back
  to DB lookup.
- Session callback now populates clientTeamIds + isExternal on session.user
  so downstream queries don't hit the DB per request.
- next-auth.d.ts: Session.user extended with clientTeamIds + isExternal.
- AuthSession type mirrors the same.
- require-auth: added visibilityContextFromSession(session) helper so API
  routes can construct a VisibilityContext in one line.
- CLIENT_VIEWER role entry added to DEFAULT_PERMISSIONS (read + comments).

Services wired with visibility (32 query sites across 9 files):
- project-service: list/get AND'd with visibleProjectsWhere; update/delete
  pre-gate via assertProjectVisible.
- deliverable-service: list/get/create/bulkCreate gate on parent project
  visibility; update/delete pre-check via parent project lookup.
- stage-service: getBlockedStages AND's stage visibility;
  bulk/updateStageStatus pre-gate via parent project.
- dashboard-service: all 6 groupBy/findMany queries AND'd with visibility.
- workload-service: pulls project.clientTeamId and post-filters assignments
  (nested include can't be filtered cleanly at DB level).
- calendar-service: now takes organizationId + ctx; AND's org + visibility
  into the stage findMany.
- weekly-report-service: 6 parallel queries AND'd with visibility fragments.
- semantic-search-service: Prisma queries AND'd; raw SQL vectorSearch
  appends `AND p."clientTeamId" = ANY($N::text[])` for non-admins, returns
  empty early when scoped user has no team memberships.
- assignment-service: assignUserToStage pre-gates project visibility;
  getMyWork filters rows by client-team membership; bulkAssignArtists
  skips stages not visible to caller.

API routes updated to pass visibility context (13 routes):
/api/projects, /api/projects/[id], /api/projects/[id]/deliverables,
/api/projects/[id]/deliverables/[id], /api/stages/[id],
/api/stages/[id]/assignments, /api/dashboard/stats, /api/my-work,
/api/calendar, /api/reports/weekly, /api/workload,
/api/search/semantic, /api/chat/route (chat tool-executor threads ctx
through all 20 tool handlers via executeTool context param).

Verified: npx tsc --noEmit ✓ zero errors.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-20 18:50:00 -04:00

Leivur R. Djurhuus

b4ae910cf5

Add Auth.js v5 with Google + Microsoft Entra ID SSO

- NextAuth config with PrismaAdapter, database sessions
- Session callback enriches with role + organizationId
- Login page with Google and Microsoft sign-in buttons
- Cookie-based middleware for auth protection (Edge-compatible)
- Type augmentation for session user fields

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-28 21:07:38 -06:00

2 commits