shad0w/pelagia-portal
1
0
Fork 0
Code Issues 12 Pull requests Projects Releases 2 Packages Wiki Activity Actions
pelagia-portal/App/lib/permissions.ts
Hardik eb402e03ef fix(profile+vendors): profile reachable for all roles incl SSO; submitter vendor creation 
Profile (fixes Safari/SSO no-password redirect):
- User lookup falls back to email when JWT id is stale (SSO users)
- generateDownloadUrl wrapped in try/catch so storage never crashes the page
- Signature gate now uses approve_po permission (approvers only)
- SSO/no-password users see a Set Password form (current-password field hidden)

Vendors:
- New create_vendor permission for all PO roles incl. submitters
- Submitters create UNVERIFIED vendors (no Vendor ID); simple form mode
- verifyVendor action + Verify menu item (manage_vendors)
- Vendors auto-verify when a PO closes with them (receipt confirm + import)
- Add Vendor button on /inventory/vendors

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 18:53:33 +05:30

89 lines
2.2 KiB
TypeScript
Raw Blame History

import type { Role } from "@prisma/client";
export type Permission =
| "create_po"
| "submit_po"
| "edit_own_draft_po"
| "view_own_pos"
| "view_all_pos"
| "approve_po"
| "reject_po"
| "request_edits"
| "request_vendor_id"
| "process_payment"
| "confirm_receipt"
| "view_analytics"
| "export_reports"
| "manage_users"
| "manage_vendors"
| "create_vendor"
| "manage_vessels_accounts"
| "manage_products"
| "manage_sites";
const ROLE_PERMISSIONS: Record<Role, Permission[]> = {
TECHNICAL: ["create_po", "submit_po", "edit_own_draft_po", "view_own_pos", "confirm_receipt", "create_vendor"],
MANNING: ["create_po", "submit_po", "edit_own_draft_po", "view_own_pos", "confirm_receipt", "create_vendor"],
ACCOUNTS: ["view_all_pos", "process_payment", "manage_vendors", "create_vendor"],
MANAGER: [
"create_po",
"submit_po",
"edit_own_draft_po",
"view_own_pos",
"view_all_pos",
"approve_po",
"reject_po",
"request_edits",
"request_vendor_id",
"view_analytics",
"export_reports",
"manage_vendors",
"create_vendor",
"manage_vessels_accounts",
"manage_products",
"manage_sites",
],
SUPERUSER: [
"create_po",
"submit_po",
"edit_own_draft_po",
"view_own_pos",
"view_all_pos",
"approve_po",
"reject_po",
"request_edits",
"request_vendor_id",
"process_payment",
"confirm_receipt",
"view_analytics",
"export_reports",
"create_vendor",
],
AUDITOR: ["view_own_pos", "view_all_pos", "view_analytics", "export_reports"],
ADMIN: [
"view_own_pos",
"view_all_pos",
"view_analytics",
"export_reports",
"manage_users",
"manage_vendors",
"create_vendor",
"manage_vessels_accounts",
"manage_products",
"manage_sites",
],
};
export function hasPermission(role: Role, permission: Permission): boolean {
return ROLE_PERMISSIONS[role]?.includes(permission) ?? false;
}
export function requirePermission(role: Role, permission: Permission): void {
if (!hasPermission(role, permission)) {
throw new Error(`Forbidden: role ${role} lacks permission ${permission}`);
}
}
export function getPermissions(role: Role): Permission[] {
return ROLE_PERMISSIONS[role] ?? [];
}
Reference in a new issue View git blame Copy permalink