Hardik
158b446117
Adds NEXT_PUBLIC_CLOSED_PO_ATTACHMENTS_ENABLED. When on, a CLOSED PO's own
submitter -- plus Accounts / Manager / SuperUser -- can attach documents to
it, so POs whose uploads were lost to the document-upload bug can be fixed
without reopening them. Off by default, so production stays unchanged until
enabled.
- lib/permissions.ts: canAddClosedPoAttachment(role, { isSubmitter }) gated
by the flag; allowed roles are ACCOUNTS/MANAGER/SUPERUSER (plus the PO's
own submitter regardless of role).
- uploadPoDocuments: a CLOSED PO is otherwise immutable, so it now enforces
the permission server-side; the normal create/receipt flows upload while
the PO is pre-CLOSED and are unaffected.
- po-detail.tsx: when allowed, the Attachments card renders an uploader
(ClosedPoAttachmentUploader) and shows even when the PO has no docs yet.
- Enabled on staging (staging-up.sh) so the remediation can be exercised;
documented in .env.example and CLAUDE.md.
Tests: closed-po-attachments.test.ts covers the flag-on role matrix (own
submitter / Accounts / Manager / SuperUser allowed; other submitter-role and
auditor refused; non-closed PO unaffected); po-document-upload.test.ts adds
the flag-off case (closed PO stays immutable). Full unit + integration suites
green; tsc clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
36 lines
1.9 KiB
TypeScript
36 lines
1.9 KiB
TypeScript
/**
|
|
* Feature flags — read from environment variables.
|
|
* NEXT_PUBLIC_ prefix makes them available in both server and client components.
|
|
*
|
|
* NEXT_PUBLIC_INVENTORY_ENABLED=false → hides inventory tracking (site qty/consumption)
|
|
* Vendor list, product catalogue, and cart remain available for PO creation regardless.
|
|
*
|
|
* NEXT_PUBLIC_SUBMITTER_VIEW_ALL_ENABLED=true → lets submitters (TECHNICAL / MANNING)
|
|
* read every PO (not just their own), open the History page, and use the export buttons.
|
|
* Opt-in (off unless explicitly "true") because it widens read access. Submitters stay
|
|
* read-only — it grants no approval, payment, or edit rights. See lib/permissions.ts
|
|
* (canViewAllPos / submitterCanViewAll).
|
|
*
|
|
* NEXT_PUBLIC_CREWING_ENABLED=true → exposes the Crewing module (crew/ranks/requisitions
|
|
* etc.). Opt-in (off unless explicitly "true") because the feature is built incrementally;
|
|
* keeping it dark by default leaves production unchanged. See lib/permissions.ts (§6 matrix)
|
|
* and wiki Crewing-Implementation-Spec.
|
|
*
|
|
* NEXT_PUBLIC_CLOSED_PO_ATTACHMENTS_ENABLED=true → lets a CLOSED PO's own submitter, plus
|
|
* Accounts / Manager / SuperUser, add attachments to it. Remediation path for the upload
|
|
* bug where documents never persisted (no PODocument row): closed POs whose files were lost
|
|
* can be fixed without reopening them. Opt-in (off unless "true") so production is unchanged
|
|
* until enabled. See lib/permissions.ts (canAddClosedPoAttachment).
|
|
*/
|
|
|
|
export const INVENTORY_ENABLED =
|
|
process.env.NEXT_PUBLIC_INVENTORY_ENABLED !== "false";
|
|
|
|
export const SUBMITTER_VIEW_ALL_ENABLED =
|
|
process.env.NEXT_PUBLIC_SUBMITTER_VIEW_ALL_ENABLED === "true";
|
|
|
|
export const CREWING_ENABLED =
|
|
process.env.NEXT_PUBLIC_CREWING_ENABLED === "true";
|
|
|
|
export const CLOSED_PO_ATTACHMENTS_ENABLED =
|
|
process.env.NEXT_PUBLIC_CLOSED_PO_ATTACHMENTS_ENABLED === "true";
|