feat: add flexible capability-based RBAC with per-tenant customization
Introduces a capability layer on top of existing roles that controls feature visibility and access. Capabilities follow an area.feature.action taxonomy (~35 capabilities) with sensible defaults per role. Tenant admins can customize via grant/revoke overrides stored in org settings JSONB. Key changes: - Add vice_president role to DB schema - Backend: capability constants, resolution logic, CapabilityGuard (global), @RequireCapability decorator on all 16 tenant controllers - Frontend: permission hooks (useCanEdit, useHasCapability), CapabilityGate component, sidebar filtering by capability, all 17 pages migrated from useIsReadOnly to capability-based checks - New admin UI: /settings/permissions matrix page for per-tenant role customization with grant/revoke delta model - GET /organizations/my-capabilities endpoint for capability refresh - Validation of permissionOverrides in settings updates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -3,6 +3,7 @@ import {
|
||||
} from '@nestjs/common';
|
||||
import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
|
||||
import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
|
||||
import { RequireCapability } from '../../common/decorators/capability.decorator';
|
||||
import { JournalEntriesService } from './journal-entries.service';
|
||||
import { CreateJournalEntryDto } from './dto/create-journal-entry.dto';
|
||||
import { VoidJournalEntryDto } from './dto/void-journal-entry.dto';
|
||||
@@ -16,6 +17,7 @@ export class JournalEntriesController {
|
||||
|
||||
@Get()
|
||||
@ApiOperation({ summary: 'List journal entries' })
|
||||
@RequireCapability('transactions.view')
|
||||
findAll(
|
||||
@Query('from') from?: string,
|
||||
@Query('to') to?: string,
|
||||
@@ -27,24 +29,28 @@ export class JournalEntriesController {
|
||||
|
||||
@Get(':id')
|
||||
@ApiOperation({ summary: 'Get journal entry by ID' })
|
||||
@RequireCapability('transactions.view')
|
||||
findOne(@Param('id') id: string) {
|
||||
return this.jeService.findOne(id);
|
||||
}
|
||||
|
||||
@Post()
|
||||
@ApiOperation({ summary: 'Create a journal entry' })
|
||||
@RequireCapability('transactions.edit')
|
||||
create(@Body() dto: CreateJournalEntryDto, @Request() req: any) {
|
||||
return this.jeService.create(dto, req.user.sub);
|
||||
}
|
||||
|
||||
@Post(':id/post')
|
||||
@ApiOperation({ summary: 'Post (finalize) a journal entry' })
|
||||
@RequireCapability('transactions.edit')
|
||||
post(@Param('id') id: string, @Request() req: any) {
|
||||
return this.jeService.post(id, req.user.sub);
|
||||
}
|
||||
|
||||
@Post(':id/void')
|
||||
@ApiOperation({ summary: 'Void a journal entry' })
|
||||
@RequireCapability('transactions.edit')
|
||||
void(@Param('id') id: string, @Body() dto: VoidJournalEntryDto, @Request() req: any) {
|
||||
return this.jeService.void(id, req.user.sub, dto.reason);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user