shad0w/pelagia-portal
1
0
Fork 0
Code Issues 6 Pull requests Projects Releases 2 Packages Wiki Activity Actions
pelagia-portal/App/lib/permissions.ts
Hardik 5aae45299b
All checks were successful
PR checks / checks (pull_request) Successful in 42s
Details
PR checks / integration (pull_request) Successful in 30s
Details
feat(po): admin-managed delivery locations + Place of Delivery dropdown (#19) 
Replaces the free-text "Place of Delivery" with a dropdown sourced from a new
admin-managed Delivery Locations list (each = a Company FK + free-text address).

- schema + migration: new DeliveryLocation model (companyId, address, isActive).
- permission: manage_delivery_locations granted to Manager + SuperUser + Admin
  (Manager-accessible, not admin-only, per the issue).
- admin screen /admin/delivery-locations: table + Add/Edit dialogs +
  activate/deactivate + delete (mirrors /admin/sites); sidebar link under
  Administration for Manager/SuperUser/Admin.
- PO forms (new / edit / manager-edit): shared <DeliveryLocationField> native
  select populated from active locations, formatted "Company — address".
- PurchaseOrder.placeOfDelivery stays a free-text SNAPSHOT (no FK) — the dropdown
  only changes how the value is picked, so export/import/historical POs are
  unchanged, and an edit preserves a current value not in the list as a
  "(current)" option. Deleting a location is therefore always safe.
- tests: delivery-location CRUD + permission guard (6).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 02:08:59 +05:30

243 lines
6.6 KiB
TypeScript
Raw Blame History

import type { Role } from "@prisma/client";
export type Permission =
| "create_po"
| "submit_po"
| "edit_own_draft_po"
| "view_own_pos"
| "view_all_pos"
| "approve_po"
| "reject_po"
| "cancel_po"
| "request_edits"
| "request_vendor_id"
| "process_payment"
| "confirm_receipt"
| "view_analytics"
| "export_reports"
| "manage_users"
| "manage_vendors"
| "create_vendor"
| "manage_vessels_accounts"
| "manage_products"
| "manage_sites"
| "manage_delivery_locations"
// ── Crewing (feature-flagged) — mirrors Crewing-Implementation-Spec §6 ──────
| "raise_requisition"
| "request_relief_cover"
| "convert_relief_to_requisition"
| "cancel_requisition"
| "view_requisitions"
| "manage_candidates"
| "record_reference_check"
| "record_interview_result"
| "request_interview_waiver"
| "approve_interview_waiver"
| "approve_salary_structure"
| "select_candidate"
| "onboard_crew"
| "sign_off_crew"
| "view_crew_records"
| "upload_crew_records"
| "issue_ppe"
| "apply_leave"
| "decide_leave"
| "record_attendance"
| "view_attendance"
| "verify_site_records"
| "verify_bank_epf"
| "raise_appraisal"
| "verify_appraisal"
| "approve_appraisal"
| "generate_wage_report"
| "approve_wage_report"
| "view_wage_report"
| "manage_ranks"
// Office/admin crew management — direct placement (no requisition), crew CRUD,
// and per-vessel rank-strength config. Held by Manager + Admin (+ SuperUser).
| "manage_crew";
// Purchasing / admin permissions (the original PPMS matrix). SITE_STAFF is a
// crewing-only role and holds no purchasing permissions.
const PO_ROLE_PERMISSIONS: Record<Role, Permission[]> = {
TECHNICAL: ["create_po", "submit_po", "edit_own_draft_po", "view_own_pos", "confirm_receipt", "create_vendor"],
MANNING: ["create_po", "submit_po", "edit_own_draft_po", "view_own_pos", "confirm_receipt", "create_vendor"],
ACCOUNTS: ["view_all_pos", "process_payment", "manage_vendors", "create_vendor"],
MANAGER: [
"create_po",
"submit_po",
"edit_own_draft_po",
"view_own_pos",
"view_all_pos",
"approve_po",
"reject_po",
"cancel_po",
"request_edits",
"request_vendor_id",
"view_analytics",
"export_reports",
"manage_vendors",
"create_vendor",
"manage_vessels_accounts",
"manage_products",
"manage_sites",
"manage_delivery_locations",
"confirm_receipt",
"process_payment"
],
SUPERUSER: [
"create_po",
"submit_po",
"edit_own_draft_po",
"view_own_pos",
"view_all_pos",
"approve_po",
"reject_po",
"cancel_po",
"request_edits",
"request_vendor_id",
"process_payment",
"confirm_receipt",
"view_analytics",
"export_reports",
"create_vendor",
"manage_delivery_locations",
],
AUDITOR: ["view_own_pos", "view_all_pos", "view_analytics", "export_reports"],
ADMIN: [
"view_own_pos",
"view_all_pos",
"view_analytics",
"export_reports",
"manage_users",
"manage_vendors",
"create_vendor",
"manage_vessels_accounts",
"manage_products",
"manage_sites",
"manage_delivery_locations",
],
SITE_STAFF: [],
};
// Crewing permissions — a verbatim transcription of the §6 grant matrix in
// wiki Crewing-Implementation-Spec. Gating these is harmless until the screens
// land (the module is behind NEXT_PUBLIC_CREWING_ENABLED). Notes from the spec:
// MPO (MANNING) has NO attendance/leave; decide_leave/approve_* and selection are
// Manager-only; manage_ranks is Manager + Admin (not SuperUser).
const CREWING_ROLE_PERMISSIONS: Record<Role, Permission[]> = {
TECHNICAL: [],
SITE_STAFF: [
"request_relief_cover",
"sign_off_crew",
"view_crew_records",
"upload_crew_records",
"issue_ppe",
"apply_leave",
"record_attendance",
"view_attendance",
"raise_appraisal",
],
MANNING: [
"raise_requisition",
"convert_relief_to_requisition",
"cancel_requisition",
"view_requisitions",
"manage_candidates",
"record_reference_check",
"record_interview_result",
"request_interview_waiver",
"onboard_crew",
"sign_off_crew",
"view_crew_records",
"upload_crew_records",
"issue_ppe",
"verify_site_records",
"verify_appraisal",
],
ACCOUNTS: ["view_crew_records", "verify_bank_epf", "view_wage_report"],
MANAGER: [
"raise_requisition",
"convert_relief_to_requisition",
"cancel_requisition",
"view_requisitions",
"manage_candidates",
"record_reference_check",
"record_interview_result",
"approve_interview_waiver",
"approve_salary_structure",
"select_candidate",
"onboard_crew",
"sign_off_crew",
"view_crew_records",
"upload_crew_records",
"issue_ppe",
"apply_leave",
"decide_leave",
"view_attendance",
"verify_site_records",
"raise_appraisal",
"verify_appraisal",
"approve_appraisal",
"generate_wage_report",
"approve_wage_report",
"view_wage_report",
"manage_ranks",
"manage_crew",
],
SUPERUSER: [
"raise_requisition",
"request_relief_cover",
"convert_relief_to_requisition",
"cancel_requisition",
"view_requisitions",
"manage_candidates",
"record_reference_check",
"record_interview_result",
"request_interview_waiver",
"approve_interview_waiver",
"approve_salary_structure",
"select_candidate",
"onboard_crew",
"sign_off_crew",
"view_crew_records",
"upload_crew_records",
"issue_ppe",
"apply_leave",
"decide_leave",
"record_attendance",
"view_attendance",
"verify_site_records",
"verify_bank_epf",
"raise_appraisal",
"verify_appraisal",
"approve_appraisal",
"generate_wage_report",
"approve_wage_report",
"view_wage_report",
"manage_crew",
],
AUDITOR: ["view_requisitions", "view_crew_records", "view_attendance", "view_wage_report"],
ADMIN: ["view_requisitions", "view_crew_records", "view_wage_report", "manage_ranks", "manage_crew"],
};
const ROLE_PERMISSIONS: Record<Role, Permission[]> = Object.fromEntries(
(Object.keys(PO_ROLE_PERMISSIONS) as Role[]).map((role) => [
role,
[...PO_ROLE_PERMISSIONS[role], ...CREWING_ROLE_PERMISSIONS[role]],
])
) as Record<Role, Permission[]>;
export function hasPermission(role: Role, permission: Permission): boolean {
return ROLE_PERMISSIONS[role]?.includes(permission) ?? false;
}
export function requirePermission(role: Role, permission: Permission): void {
if (!hasPermission(role, permission)) {
throw new Error(`Forbidden: role ${role} lacks permission ${permission}`);
}
}
export function getPermissions(role: Role): Permission[] {
return ROLE_PERMISSIONS[role] ?? [];
}
Reference in a new issue View git blame Copy permalink