letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

audit: Tier 2/3/4 batch — reports math, portal copy, authz escalation guard

Browse Source 
Tier 2.2: revenue PDF totalCompleted now filters on outcome='won' —
setInterestOutcome forces stage='completed' for every outcome (incl.
lost + cancelled), so the stage-only filter was including those toward
"TOTAL COMPLETED REVENUE".

Tier 2.3: fetchPipelineData stageCounts adds the missing .groupBy() —
without it Postgres rejects the SELECT (per-stage breakdown was broken
or coercing to ELSE-stage row).

Tier 2.4: hot-deals widget rank ladder fixed two stage-name typos —
'in_comms' → 'in_communication', 'deposit_10' → 'deposit_10pct'. Both
stages were collapsing to the ELSE 0 branch server-side AND rendering
raw enum to the user in hot-deals-card.tsx.

Tier 3.2: portal /portal/interests no longer renders raw enum to
clients. New PORTAL_SIGNING_LABELS table maps every EOI/contract
status to plain English (e.g. "waiting_for_signatures" → "Waiting for
signatures").

Tier 4.1 (CRITICAL): permission-overrides PUT now requires caller-
superset on every `true` write. Admins with only `admin.manage_users`
could previously grant other users leaves they don't hold themselves
(permanently_delete_clients, system_backup). Super-admins bypass.

Tier 4.4: search graph-expansion re-gates every merged bucket by the
destination's view permission. A user with berths.view but no
interests.view searching "A12" no longer sees interest rows surfaced
via expansion.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-05-12 17:13:04 +02:00
parent 16ef609e1b
commit 50f48a8b6a
8 changed files with 116 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/components/dashboard/hot-deals-card.tsx
View File

@@ -23,13 +23,17 @@ interface HotDealsResponse {
data: HotDeal[];
}
// Local label map intentionally narrowed to the stages this widget
// surfaces. Keys MUST match the canonical DB values (deposit_10pct +
// in_communication) — the reporting audit caught typos that broke the
// rank ladder server-side AND rendered raw enum to the user.
const STAGE_LABELS: Record<string, string> = {
contract_signed: 'Contract Signed',
contract_sent: 'Contract Sent',
deposit_10: 'Deposit 10%',
deposit_10pct: 'Deposit 10%',
eoi_signed: 'EOI Signed',
eoi_sent: 'EOI Sent',
in_comms: 'In Comms',
in_communication: 'In Comms',
details_sent: 'Details Sent',
open: 'Open',
completed: 'Completed',