From 905852b8a57cc1d629880047f4d62f2ecbd225f3 Mon Sep 17 00:00:00 2001
From: Matt <matt@letsbe.solutions>
Date: Thu, 14 May 2026 03:46:01 +0200
Subject: [PATCH] feat(permissions): carve out dedicated `payments` resource
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Payments (deposit / balance / refund records on an interest) used to
share `invoices.record_payment`, which forces a port that doesn't
issue invoices at all to still navigate the invoicing permission
group to grant its sales reps payment-recording rights. Splitting
the resource lets admins gate the two surfaces independently.

The new resource has three actions:
  - view   — gates the UI affordance (API reads still go through
             `interests.view`)
  - record — POST / PATCH a payment
  - delete — DELETE a payment record

Seed maps updated for all six system roles; existing role rows +
per-user permission overrides are backfilled by migration 0064 so
upgrades don't silently lose access. Two call sites (POST /interests/
[id]/payments, PATCH /payments/[id]) → payments.record; one
(DELETE /payments/[id]) → payments.delete. The PermissionGates on the
payments-section UI swap to the new keys.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../api/v1/interests/[id]/payments/route.ts   |  2 +-
 src/app/api/v1/payments/[id]/route.ts         |  4 +--
 src/components/admin/roles/role-form.tsx      |  2 ++
 .../admin/users/user-permission-matrix.tsx    |  2 ++
 src/components/interests/payments-section.tsx |  4 +--
 .../migrations/0064_payments_permission.sql   | 32 +++++++++++++++++++
 src/lib/db/schema/users.ts                    | 12 +++++++
 src/lib/db/seed-permissions.ts                |  6 ++++
 src/lib/validators/roles.ts                   |  1 +
 tests/helpers/factories.ts                    |  4 +++
 10 files changed, 64 insertions(+), 5 deletions(-)
 create mode 100644 src/lib/db/migrations/0064_payments_permission.sql

diff --git a/src/app/api/v1/interests/[id]/payments/route.ts b/src/app/api/v1/interests/[id]/payments/route.ts
index c1a00d09..c7c997c7 100644
--- a/src/app/api/v1/interests/[id]/payments/route.ts
+++ b/src/app/api/v1/interests/[id]/payments/route.ts
@@ -26,7 +26,7 @@ export const GET = withAuth(
 );
 
 export const POST = withAuth(
-  withPermission('invoices', 'record_payment', async (req, ctx, params) => {
+  withPermission('payments', 'record', async (req, ctx, params) => {
     try {
       // Body's interestId must match the URL param — defense-in-depth against
       // a client that sends one ID in the URL but another in the body.
diff --git a/src/app/api/v1/payments/[id]/route.ts b/src/app/api/v1/payments/[id]/route.ts
index 1da09aa8..a82eede7 100644
--- a/src/app/api/v1/payments/[id]/route.ts
+++ b/src/app/api/v1/payments/[id]/route.ts
@@ -7,7 +7,7 @@ import { updatePaymentSchema } from '@/lib/validators/payments';
 import { deletePayment, updatePayment } from '@/lib/services/payments.service';
 
 export const PATCH = withAuth(
-  withPermission('invoices', 'record_payment', async (req, ctx, params) => {
+  withPermission('payments', 'record', async (req, ctx, params) => {
     try {
       const body = await parseBody(req, updatePaymentSchema);
       const payment = await updatePayment(params.id!, ctx.portId, body, {
@@ -24,7 +24,7 @@ export const PATCH = withAuth(
 );
 
 export const DELETE = withAuth(
-  withPermission('invoices', 'record_payment', async (_req, ctx, params) => {
+  withPermission('payments', 'delete', async (_req, ctx, params) => {
     try {
       await deletePayment(params.id!, ctx.portId, {
         userId: ctx.userId,
diff --git a/src/components/admin/roles/role-form.tsx b/src/components/admin/roles/role-form.tsx
index b6560511..7cf0f254 100644
--- a/src/components/admin/roles/role-form.tsx
+++ b/src/components/admin/roles/role-form.tsx
@@ -59,6 +59,7 @@ const DEFAULT_PERMISSIONS: Record<string, Record<string, boolean>> = {
     record_payment: false,
     export: false,
   },
+  payments: { view: false, record: false, delete: false },
   files: { view: false, upload: false, edit: false, delete: false, manage_folders: false },
   email: { view: false, send: false, configure_account: false },
   reminders: {
@@ -105,6 +106,7 @@ const GROUP_LABELS: Record<string, string> = {
   documents: 'Documents',
   expenses: 'Expenses',
   invoices: 'Invoices',
+  payments: 'Payments',
   files: 'Files',
   email: 'Email',
   reminders: 'Reminders',
diff --git a/src/components/admin/users/user-permission-matrix.tsx b/src/components/admin/users/user-permission-matrix.tsx
index 70bfbcb0..3e481bcc 100644
--- a/src/components/admin/users/user-permission-matrix.tsx
+++ b/src/components/admin/users/user-permission-matrix.tsx
@@ -36,6 +36,7 @@ const GROUP_LABELS: Record<string, string> = {
   documents: 'Documents',
   expenses: 'Expenses',
   invoices: 'Invoices',
+  payments: 'Payments',
   files: 'Files',
   email: 'Email',
   reminders: 'Reminders',
@@ -78,6 +79,7 @@ const PERMISSION_LEAVES: Record<string, string[]> = {
   ],
   expenses: ['view', 'create', 'edit', 'delete', 'export', 'scan_receipt'],
   invoices: ['view', 'create', 'edit', 'delete', 'send', 'record_payment', 'export'],
+  payments: ['view', 'record', 'delete'],
   files: ['view', 'upload', 'edit', 'delete', 'manage_folders'],
   email: ['view', 'send', 'configure_account'],
   reminders: ['view_own', 'view_all', 'create', 'edit_own', 'edit_all', 'assign_others'],
diff --git a/src/components/interests/payments-section.tsx b/src/components/interests/payments-section.tsx
index 8fbbf9bb..2bd12504 100644
--- a/src/components/interests/payments-section.tsx
+++ b/src/components/interests/payments-section.tsx
@@ -128,7 +128,7 @@ export function PaymentsSection({
             that.
           </p>
         </div>
-        <PermissionGate resource="invoices" action="record_payment">
+        <PermissionGate resource="payments" action="record">
           <Button size="sm" className="h-8 px-3 text-xs" onClick={() => setRecordOpen(true)}>
             <Plus className="size-3.5" aria-hidden />
             Record payment
@@ -184,7 +184,7 @@ export function PaymentsSection({
                   <Receipt className="size-3 text-emerald-600" aria-hidden />
                 ) : null}
               </div>
-              <PermissionGate resource="invoices" action="record_payment">
+              <PermissionGate resource="payments" action="delete">
                 <button
                   type="button"
                   aria-label="Delete payment record"
diff --git a/src/lib/db/migrations/0064_payments_permission.sql b/src/lib/db/migrations/0064_payments_permission.sql
new file mode 100644
index 00000000..ec3b574d
--- /dev/null
+++ b/src/lib/db/migrations/0064_payments_permission.sql
@@ -0,0 +1,32 @@
+-- 0064_payments_permission.sql
+-- ----------------------------------------------------------------------------
+-- Carve out a dedicated `payments` resource from `invoices.record_payment`.
+-- Existing role rows + per-user permission overrides are backfilled so the
+-- new resource defaults to whatever record_payment was, preventing silent
+-- access loss when the call sites switch over.
+
+UPDATE roles
+SET permissions = permissions || jsonb_build_object(
+  'payments', jsonb_build_object(
+    'view',   COALESCE((permissions->'invoices'->>'view')::boolean,            false),
+    'record', COALESCE((permissions->'invoices'->>'record_payment')::boolean,  false),
+    'delete', COALESCE((permissions->'invoices'->>'record_payment')::boolean,  false)
+  )
+)
+WHERE permissions IS NOT NULL
+  AND NOT (permissions ? 'payments');
+
+-- Per-user overrides store a Partial<RolePermissions> as JSONB. Mirror an
+-- explicit invoices.record_payment leaf into payments.{record, delete} so
+-- "Alice can record payments even though her role can't" survives the
+-- carve-out.
+UPDATE user_permission_overrides
+SET permission_overrides = permission_overrides || jsonb_build_object(
+  'payments', jsonb_build_object(
+    'record', (permission_overrides->'invoices'->>'record_payment')::boolean,
+    'delete', (permission_overrides->'invoices'->>'record_payment')::boolean
+  )
+)
+WHERE permission_overrides ? 'invoices'
+  AND (permission_overrides->'invoices') ? 'record_payment'
+  AND NOT (permission_overrides ? 'payments');
diff --git a/src/lib/db/schema/users.ts b/src/lib/db/schema/users.ts
index ab86cb68..31b93fbd 100644
--- a/src/lib/db/schema/users.ts
+++ b/src/lib/db/schema/users.ts
@@ -58,6 +58,18 @@ export type RolePermissions = {
     record_payment: boolean;
     export: boolean;
   };
+  /**
+   * Standalone payments resource (deposit / balance / refund records on
+   * an interest). Carved out from `invoices.record_payment` so a port
+   * that does not use the invoicing module at all can still grant
+   * payment-recording rights to sales reps. `view` follows interests.view
+   * at the route level — this gate only governs the UI affordance.
+   */
+  payments: {
+    view: boolean;
+    record: boolean;
+    delete: boolean;
+  };
   files: {
     view: boolean;
     upload: boolean;
diff --git a/src/lib/db/seed-permissions.ts b/src/lib/db/seed-permissions.ts
index ff44e1eb..cb72335a 100644
--- a/src/lib/db/seed-permissions.ts
+++ b/src/lib/db/seed-permissions.ts
@@ -50,6 +50,7 @@ export const ALL_PERMISSIONS: RolePermissions = {
     record_payment: true,
     export: true,
   },
+  payments: { view: true, record: true, delete: true },
   files: { view: true, upload: true, edit: true, delete: true, manage_folders: true },
   email: { view: true, send: true, configure_account: true },
   reminders: {
@@ -128,6 +129,7 @@ export const DIRECTOR_PERMISSIONS: RolePermissions = {
     record_payment: true,
     export: true,
   },
+  payments: { view: true, record: true, delete: true },
   files: { view: true, upload: true, edit: true, delete: true, manage_folders: true },
   email: { view: true, send: true, configure_account: true },
   reminders: {
@@ -206,6 +208,7 @@ export const SALES_MANAGER_PERMISSIONS: RolePermissions = {
     record_payment: true,
     export: true,
   },
+  payments: { view: true, record: true, delete: true },
   files: { view: true, upload: true, edit: true, delete: false, manage_folders: true },
   email: { view: true, send: true, configure_account: true },
   reminders: {
@@ -284,6 +287,7 @@ export const SALES_AGENT_PERMISSIONS: RolePermissions = {
     record_payment: true,
     export: true,
   },
+  payments: { view: true, record: true, delete: true },
   files: { view: true, upload: true, edit: false, delete: false, manage_folders: false },
   email: { view: true, send: true, configure_account: true },
   reminders: {
@@ -362,6 +366,7 @@ export const VIEWER_PERMISSIONS: RolePermissions = {
     record_payment: false,
     export: false,
   },
+  payments: { view: true, record: false, delete: false },
   files: { view: true, upload: false, edit: false, delete: false, manage_folders: false },
   email: { view: true, send: false, configure_account: false },
   reminders: {
@@ -443,6 +448,7 @@ export const RESIDENTIAL_PARTNER_PERMISSIONS: RolePermissions = {
     record_payment: false,
     export: false,
   },
+  payments: { view: false, record: false, delete: false },
   files: { view: false, upload: false, edit: false, delete: false, manage_folders: false },
   email: { view: false, send: false, configure_account: false },
   reminders: {
diff --git a/src/lib/validators/roles.ts b/src/lib/validators/roles.ts
index 560a8447..1196a2f6 100644
--- a/src/lib/validators/roles.ts
+++ b/src/lib/validators/roles.ts
@@ -9,6 +9,7 @@ const rolePermissionsSchema = z.object({
   documents: permissionGroupSchema,
   expenses: permissionGroupSchema,
   invoices: permissionGroupSchema,
+  payments: permissionGroupSchema,
   files: permissionGroupSchema,
   email: permissionGroupSchema,
   reminders: permissionGroupSchema,
diff --git a/tests/helpers/factories.ts b/tests/helpers/factories.ts
index e8095f37..bb88a3ce 100644
--- a/tests/helpers/factories.ts
+++ b/tests/helpers/factories.ts
@@ -340,6 +340,7 @@ export function makeFullPermissions(): RolePermissions {
       record_payment: true,
       export: true,
     },
+    payments: { view: true, record: true, delete: true },
     files: { view: true, upload: true, edit: true, delete: true, manage_folders: true },
     email: { view: true, send: true, configure_account: true },
     reminders: {
@@ -421,6 +422,7 @@ export function makeViewerPermissions(): RolePermissions {
       record_payment: false,
       export: false,
     },
+    payments: { view: false, record: false, delete: false },
     files: { view: true, upload: false, edit: false, delete: false, manage_folders: false },
     email: { view: true, send: false, configure_account: false },
     reminders: {
@@ -502,6 +504,7 @@ export function makeSalesAgentPermissions(): RolePermissions {
       record_payment: false,
       export: false,
     },
+    payments: { view: false, record: false, delete: false },
     files: { view: true, upload: true, edit: false, delete: false, manage_folders: false },
     email: { view: true, send: true, configure_account: false },
     reminders: {
@@ -583,6 +586,7 @@ export function makeSalesManagerPermissions(): RolePermissions {
       record_payment: true,
       export: true,
     },
+    payments: { view: true, record: true, delete: true },
     files: { view: true, upload: true, edit: true, delete: true, manage_folders: true },
     email: { view: true, send: true, configure_account: false },
     reminders: {