feat(auth): block protected account deletion in auth endpoints
This commit is contained in:
3
TODO.md
3
TODO.md
@@ -115,7 +115,7 @@ This file is the single source of truth for roadmap and delivery progress.
|
||||
- [ ] [P1] Media refinement for artworks (medium, dimensions, year, framing, availability)
|
||||
- [ ] [P1] Users management (invite, roles, status)
|
||||
- [ ] [P1] Disable/ban user function and enforcement in auth/session checks
|
||||
- [ ] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
|
||||
- [~] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
|
||||
- [ ] [P1] Commissions management (request intake, owner, due date, notes)
|
||||
- [ ] [P1] Kanban workflow for commissions (new, scoped, in-progress, review, done)
|
||||
- [ ] [P1] Header banner management (message, CTA, active window)
|
||||
@@ -191,6 +191,7 @@ This file is the single source of truth for roadmap and delivery progress.
|
||||
- [2026-02-10] Linux Playwright runtime depends on host packages; browser setup may require `playwright install --with-deps`.
|
||||
- [2026-02-10] Next.js 16 deprecates `middleware.ts` convention in favor of `proxy.ts`; admin route guard now lives at `apps/admin/src/proxy.ts`.
|
||||
- [2026-02-10] `server-only` imports break Bun CLI scripts; shared auth bootstrap code used by scripts must avoid Next-only runtime markers.
|
||||
- [2026-02-10] Auth delete-account endpoints now block protected users (support + canonical owner); admin user-management delete/demote guards remain to be implemented.
|
||||
|
||||
## How We Use This File
|
||||
|
||||
|
||||
Reference in New Issue
Block a user