feat(permissions): carve out dedicated payments resource
Payments (deposit / balance / refund records on an interest) used to
share `invoices.record_payment`, which forces a port that doesn't
issue invoices at all to still navigate the invoicing permission
group to grant its sales reps payment-recording rights. Splitting
the resource lets admins gate the two surfaces independently.
The new resource has three actions:
- view — gates the UI affordance (API reads still go through
`interests.view`)
- record — POST / PATCH a payment
- delete — DELETE a payment record
Seed maps updated for all six system roles; existing role rows +
per-user permission overrides are backfilled by migration 0064 so
upgrades don't silently lose access. Two call sites (POST /interests/
[id]/payments, PATCH /payments/[id]) → payments.record; one
(DELETE /payments/[id]) → payments.delete. The PermissionGates on the
payments-section UI swap to the new keys.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -50,6 +50,7 @@ export const ALL_PERMISSIONS: RolePermissions = {
|
||||
record_payment: true,
|
||||
export: true,
|
||||
},
|
||||
payments: { view: true, record: true, delete: true },
|
||||
files: { view: true, upload: true, edit: true, delete: true, manage_folders: true },
|
||||
email: { view: true, send: true, configure_account: true },
|
||||
reminders: {
|
||||
@@ -128,6 +129,7 @@ export const DIRECTOR_PERMISSIONS: RolePermissions = {
|
||||
record_payment: true,
|
||||
export: true,
|
||||
},
|
||||
payments: { view: true, record: true, delete: true },
|
||||
files: { view: true, upload: true, edit: true, delete: true, manage_folders: true },
|
||||
email: { view: true, send: true, configure_account: true },
|
||||
reminders: {
|
||||
@@ -206,6 +208,7 @@ export const SALES_MANAGER_PERMISSIONS: RolePermissions = {
|
||||
record_payment: true,
|
||||
export: true,
|
||||
},
|
||||
payments: { view: true, record: true, delete: true },
|
||||
files: { view: true, upload: true, edit: true, delete: false, manage_folders: true },
|
||||
email: { view: true, send: true, configure_account: true },
|
||||
reminders: {
|
||||
@@ -284,6 +287,7 @@ export const SALES_AGENT_PERMISSIONS: RolePermissions = {
|
||||
record_payment: true,
|
||||
export: true,
|
||||
},
|
||||
payments: { view: true, record: true, delete: true },
|
||||
files: { view: true, upload: true, edit: false, delete: false, manage_folders: false },
|
||||
email: { view: true, send: true, configure_account: true },
|
||||
reminders: {
|
||||
@@ -362,6 +366,7 @@ export const VIEWER_PERMISSIONS: RolePermissions = {
|
||||
record_payment: false,
|
||||
export: false,
|
||||
},
|
||||
payments: { view: true, record: false, delete: false },
|
||||
files: { view: true, upload: false, edit: false, delete: false, manage_folders: false },
|
||||
email: { view: true, send: false, configure_account: false },
|
||||
reminders: {
|
||||
@@ -443,6 +448,7 @@ export const RESIDENTIAL_PARTNER_PERMISSIONS: RolePermissions = {
|
||||
record_payment: false,
|
||||
export: false,
|
||||
},
|
||||
payments: { view: false, record: false, delete: false },
|
||||
files: { view: false, upload: false, edit: false, delete: false, manage_folders: false },
|
||||
email: { view: false, send: false, configure_account: false },
|
||||
reminders: {
|
||||
|
||||
Reference in New Issue
Block a user