Fix 5 validator blockers in groups/users admin work

1. apps.ts getVisibleAppsForUser: use getEffectiveRoleIds() so admin
   gate honors group_roles inheritance (was direct user_roles only —
   security bypass for group-only admins). Exported helper from
   middlewares/auth.ts.

2. POST /users: switch from RegisterBody to new CreateUserBody schema
   that accepts optional groupIds[]. Validates ids exist; user creation
   + auto-Everyone + requested groups happen in single transaction.
   OpenAPI spec extended; api-zod and api-client-react regenerated.

3. DELETE /users/🆔 400 if req.session.userId === target (no
   self-delete).

4. scripts/src/seed.ts: removed `void inArray;` AI-slop and dropped
   unused inArray import.

5. Locales (ar.json + en.json): added admin.users.col.displayNameAr,
   displayNameEn, language and admin.groups.searchPlaceholder.

Typecheck clean. groups-crud + service-orders + users tests pass.
Pre-existing admin-app-opens-pagination flake unrelated.
Architect re-review: PASS.
This commit is contained in:
riyadhafraa
2026-04-22 08:47:35 +00:00
parent bf0768948e
commit 4595e792e4
10 changed files with 136 additions and 48 deletions
+1 -1
View File
@@ -15,7 +15,7 @@ import { eq, and, inArray, or } from "drizzle-orm";
* Effective roles for a user = direct user_roles roles attached to any of
* the user's groups via group_roles. Returns distinct role names.
*/
async function getEffectiveRoleIds(userId: number): Promise<number[]> {
export async function getEffectiveRoleIds(userId: number): Promise<number[]> {
const rows = await db
.select({ roleId: rolesTable.id })
.from(rolesTable)