RBAC: Enforce read-only viewer role across backend and frontend

- Add global WriteAccessGuard that blocks POST/PUT/PATCH/DELETE for viewer role - Add @AllowViewer() decorator for endpoints viewers need (switch-org, intro-seen, AI recommendations) - Add useIsReadOnly hook to auth store for frontend role checks - Hide write UI (add/edit/delete/import buttons, inline editors) in all 13 data pages for viewers - Disable inline NumberInputs on Budgets and Monthly Actuals pages for viewers - Skip onboarding wizard for viewer role users Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 09:18:32 -05:00
parent 07347a644f
commit c92eb1b57b
20 changed files with 269 additions and 156 deletions
--- a/frontend/src/pages/monthly-actuals/MonthlyActualsPage.tsx
+++ b/frontend/src/pages/monthly-actuals/MonthlyActualsPage.tsx
@@ -9,6 +9,7 @@ import {
 } from '@tabler/icons-react';
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
 import api from '../../services/api';
+import { useIsReadOnly } from '../../stores/authStore';
 import { AttachmentPanel } from '../../components/attachments/AttachmentPanel';

 interface ActualLine {
@@ -64,6 +65,7 @@ export function MonthlyActualsPage() {
  const [editedAmounts, setEditedAmounts] = useState<Record<string, number>>({});
  const [savedJEId, setSavedJEId] = useState<string | null>(null);
  const queryClient = useQueryClient();
+  const isReadOnly = useIsReadOnly();

  const yearOptions = Array.from({ length: 5 }, (_, i) => {
    const y = new Date().getFullYear() - 2 + i;
@@ -204,6 +206,7 @@ export function MonthlyActualsPage() {
                hideControls
                decimalScale={2}
                allowNegative
+                disabled={isReadOnly}
                styles={{ input: { textAlign: 'right', fontFamily: 'monospace' } }}
              />
            </Table.Td>
@@ -229,14 +232,16 @@ export function MonthlyActualsPage() {
        <Group>
          <Select data={yearOptions} value={year} onChange={(v) => v && setYear(v)} w={100} />
          <Select data={monthOptions} value={month} onChange={(v) => v && setMonth(v)} w={150} />
-          <Button
-            leftSection={<IconDeviceFloppy size={16} />}
-            onClick={() => saveMutation.mutate()}
-            loading={saveMutation.isPending}
-            disabled={lines.length === 0}
-          >
-            {hasChanges ? 'Save & Reconcile' : 'Save Actuals'}
-          </Button>
+          {!isReadOnly && (
+            <Button
+              leftSection={<IconDeviceFloppy size={16} />}
+              onClick={() => saveMutation.mutate()}
+              loading={saveMutation.isPending}
+              disabled={lines.length === 0}
+            >
+              {hasChanges ? 'Save & Reconcile' : 'Save Actuals'}
+            </Button>
+          )}
        </Group>
      </Group>