fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9)
R2-H6: webhook-delivery-log Replay column was rendered for any user
who could load the page; the route gates on admin.manage_webhooks.
Now the entire Replay column is hidden when the user lacks the perm.
R2-H7: Bulk Archive action was visible to sales_agent + viewer
(clients.delete:false). Now wrapped in canBulkArchive (clients.delete).
R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit:
false). Now wrapped in canBulkTag (clients.edit).
R2-H9: bulk-hard-delete silently dropped clients that became
unarchived between preflight and execute. The service now returns
{deletedCount, skipped[]} and the dialog stays open on partial
success showing the per-row reason table — operators can see exactly
which IDs were skipped and why.
R2-M9: bulk-archive-preflight catch block was leaking dossier-loader
error messages, letting an attacker enumerate "not found" vs "exists
in another port". Replaced with a generic 'Could not load dossier —
client may have been removed' blocker.
1175/1175 vitest passing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
@@ -49,13 +49,17 @@ export const POST = withAuth(
|
||||
).length,
|
||||
},
|
||||
});
|
||||
} catch (err) {
|
||||
} catch {
|
||||
// Generic blocker text — never include the inner error so an
|
||||
// attacker can't distinguish "not found" from "in another port"
|
||||
// by enumerating UUIDs (audit R2-M9). The operator already
|
||||
// selected these IDs so they don't need to know the cause.
|
||||
items.push({
|
||||
clientId: id,
|
||||
fullName: '(unknown)',
|
||||
stakeLevel: 'low',
|
||||
highStakesStage: null,
|
||||
blockers: [err instanceof Error ? err.message : 'Failed to load dossier'],
|
||||
blockers: ['Could not load dossier — client may have been removed'],
|
||||
summary: { berths: 0, yachts: 0, reservations: 0, signedDocs: 0 },
|
||||
});
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user