letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(permissions): carve out dedicated payments resource

Browse Source 
Payments (deposit / balance / refund records on an interest) used to
share `invoices.record_payment`, which forces a port that doesn't
issue invoices at all to still navigate the invoicing permission
group to grant its sales reps payment-recording rights. Splitting
the resource lets admins gate the two surfaces independently.

The new resource has three actions:
  - view   — gates the UI affordance (API reads still go through
             `interests.view`)
  - record — POST / PATCH a payment
  - delete — DELETE a payment record

Seed maps updated for all six system roles; existing role rows +
per-user permission overrides are backfilled by migration 0064 so
upgrades don't silently lose access. Two call sites (POST /interests/
[id]/payments, PATCH /payments/[id]) → payments.record; one
(DELETE /payments/[id]) → payments.delete. The PermissionGates on the
payments-section UI swap to the new keys.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-05-14 03:46:01 +02:00
parent 6b28459c45
commit 905852b8a5
10 changed files with 64 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/app/api/v1/interests/[id]/payments/route.ts
View File

@@ -26,7 +26,7 @@ export const GET = withAuth(
);
export const POST = withAuth(
withPermission('invoices', 'record_payment', async (req, ctx, params) => {
withPermission('payments', 'record', async (req, ctx, params) => {
try {
// Body's interestId must match the URL param — defense-in-depth against
// a client that sends one ID in the URL but another in the body.

4
src/app/api/v1/payments/[id]/route.ts
View File

@@ -7,7 +7,7 @@ import { updatePaymentSchema } from '@/lib/validators/payments';
import { deletePayment, updatePayment } from '@/lib/services/payments.service';
export const PATCH = withAuth(
withPermission('invoices', 'record_payment', async (req, ctx, params) => {
withPermission('payments', 'record', async (req, ctx, params) => {
try {
const body = await parseBody(req, updatePaymentSchema);
const payment = await updatePayment(params.id!, ctx.portId, body, {
@@ -24,7 +24,7 @@ export const PATCH = withAuth(
);
export const DELETE = withAuth(
withPermission('invoices', 'record_payment', async (_req, ctx, params) => {
withPermission('payments', 'delete', async (_req, ctx, params) => {
try {
await deletePayment(params.id!, ctx.portId, {
userId: ctx.userId,