Fix 5 validator blockers in groups/users admin work
1. apps.ts getVisibleAppsForUser: use getEffectiveRoleIds() so admin
gate honors group_roles inheritance (was direct user_roles only —
security bypass for group-only admins). Exported helper from
middlewares/auth.ts.
2. POST /users: switch from RegisterBody to new CreateUserBody schema
that accepts optional groupIds[]. Validates ids exist; user creation
+ auto-Everyone + requested groups happen in single transaction.
OpenAPI spec extended; api-zod and api-client-react regenerated.
3. DELETE /users/🆔 400 if req.session.userId === target (no
self-delete).
4. scripts/src/seed.ts: removed `void inArray;` AI-slop and dropped
unused inArray import.
5. Locales (ar.json + en.json): added admin.users.col.displayNameAr,
displayNameEn, language and admin.groups.searchPlaceholder.
Typecheck clean. groups-crud + service-orders + users tests pass.
Pre-existing admin-app-opens-pagination flake unrelated.
Architect re-review: PASS.
This commit is contained in:
@@ -15,7 +15,7 @@ import { eq, and, inArray, or } from "drizzle-orm";
|
||||
* Effective roles for a user = direct user_roles ∪ roles attached to any of
|
||||
* the user's groups via group_roles. Returns distinct role names.
|
||||
*/
|
||||
async function getEffectiveRoleIds(userId: number): Promise<number[]> {
|
||||
export async function getEffectiveRoleIds(userId: number): Promise<number[]> {
|
||||
const rows = await db
|
||||
.select({ roleId: rolesTable.id })
|
||||
.from(rolesTable)
|
||||
|
||||
Reference in New Issue
Block a user