RBAC: Enforce read-only viewer role across backend and frontend

- Add global WriteAccessGuard that blocks POST/PUT/PATCH/DELETE for viewer role - Add @AllowViewer() decorator for endpoints viewers need (switch-org, intro-seen, AI recommendations) - Add useIsReadOnly hook to auth store for frontend role checks - Hide write UI (add/edit/delete/import buttons, inline editors) in all 13 data pages for viewers - Disable inline NumberInputs on Budgets and Monthly Actuals pages for viewers - Skip onboarding wizard for viewer role users Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 09:18:32 -05:00
parent 07347a644f
commit c92eb1b57b
20 changed files with 269 additions and 156 deletions
--- a/frontend/src/pages/budgets/BudgetsPage.tsx
+++ b/frontend/src/pages/budgets/BudgetsPage.tsx
@@ -7,6 +7,7 @@ import { notifications } from '@mantine/notifications';
 import { IconDeviceFloppy, IconUpload, IconDownload, IconInfoCircle } from '@tabler/icons-react';
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
 import api from '../../services/api';
+import { useIsReadOnly } from '../../stores/authStore';

 interface BudgetLine {
  account_id: string;
@@ -96,6 +97,7 @@ export function BudgetsPage() {
  const [budgetData, setBudgetData] = useState<BudgetLine[]>([]);
  const queryClient = useQueryClient();
  const fileInputRef = useRef<HTMLInputElement>(null);
+  const isReadOnly = useIsReadOnly();

  const { isLoading } = useQuery<BudgetLine[]>({
    queryKey: ['budgets', year],
@@ -257,24 +259,26 @@ export function BudgetsPage() {
          >
            Download Template
          </Button>
-          <Button
-            variant="outline"
-            leftSection={<IconUpload size={16} />}
-            onClick={handleImportCSV}
-            loading={importMutation.isPending}
-          >
-            Import CSV
-          </Button>
-          <input
-            type="file"
-            ref={fileInputRef}
-            style={{ display: 'none' }}
-            accept=".csv,.txt"
-            onChange={handleFileChange}
-          />
-          <Button leftSection={<IconDeviceFloppy size={16} />} onClick={() => saveMutation.mutate()} loading={saveMutation.isPending}>
-            Save Budget
-          </Button>
+          {!isReadOnly && (<>
+            <Button
+              variant="outline"
+              leftSection={<IconUpload size={16} />}
+              onClick={handleImportCSV}
+              loading={importMutation.isPending}
+            >
+              Import CSV
+            </Button>
+            <input
+              type="file"
+              ref={fileInputRef}
+              style={{ display: 'none' }}
+              accept=".csv,.txt"
+              onChange={handleFileChange}
+            />
+            <Button leftSection={<IconDeviceFloppy size={16} />} onClick={() => saveMutation.mutate()} loading={saveMutation.isPending}>
+              Save Budget
+            </Button>
+          </>)}
        </Group>
      </Group>

@@ -394,6 +398,7 @@ export function BudgetsPage() {
                            hideControls
                            decimalScale={2}
                            min={0}
+                            disabled={isReadOnly}
                            styles={{ input: { textAlign: 'right', fontFamily: 'monospace' } }}
                          />
                        </Table.Td>