feat(rbac): enforce admin access checks and document permission model
This commit is contained in:
24
TODO.md
24
TODO.md
@@ -18,9 +18,14 @@ This file is the single source of truth for roadmap and delivery progress.
|
||||
|
||||
### MVP1 Gate: Mandatory Before Feature Work
|
||||
|
||||
- [ ] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
|
||||
- [ ] [P1] RBAC enforcement at route and action level in admin
|
||||
- [ ] [P1] Permission matrix documented and tested
|
||||
- [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
|
||||
- [x] [P1] RBAC enforcement at route and action level in admin
|
||||
- [x] [P1] Permission matrix documented and tested
|
||||
- [ ] [P1] Integrate Better Auth core configuration and session wiring
|
||||
- [ ] [P1] Bootstrap first-run owner account creation when users table is empty
|
||||
- [ ] [P1] Enforce invariant: exactly one owner user must always exist
|
||||
- [ ] [P1] Create hidden technical support user by default (non-demotable, non-deletable)
|
||||
- [ ] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
|
||||
- [ ] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
|
||||
- [ ] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
|
||||
- [ ] [P1] Shared error and audit hooks for CRUD mutations
|
||||
@@ -31,7 +36,7 @@ This file is the single source of truth for roadmap and delivery progress.
|
||||
- [x] [P1] App Router + TypeScript + `src/` structure
|
||||
- [x] [P1] Shared DB access via `@cms/db`
|
||||
- [~] [P2] Base admin dashboard shell and roadmap page (`/todo`)
|
||||
- [ ] [P1] Authentication and session model (`admin`, `editor`, `manager`)
|
||||
- [~] [P1] Authentication and session model (`admin`, `editor`, `manager`)
|
||||
- [ ] [P1] Protected admin routes and session handling
|
||||
- [ ] [P1] Core admin IA (pages/media/users/commissions/settings)
|
||||
|
||||
@@ -50,13 +55,13 @@ This file is the single source of truth for roadmap and delivery progress.
|
||||
- [x] [P1] Playwright baseline with web/admin projects
|
||||
- [ ] [P1] CI workflow for lint/typecheck/unit/e2e gates
|
||||
- [ ] [P1] Test data strategy (seed fixtures + isolated e2e data)
|
||||
- [ ] [P1] RBAC policy unit tests and permission regression suite
|
||||
- [~] [P1] RBAC policy unit tests and permission regression suite
|
||||
- [ ] [P1] CRUD contract tests for shared service patterns
|
||||
|
||||
### Documentation
|
||||
|
||||
- [x] [P1] Docs tool baseline added (`docs/` via VitePress)
|
||||
- [ ] [P1] RBAC and permission model documentation in docs site
|
||||
- [x] [P1] RBAC and permission model documentation in docs site
|
||||
- [ ] [P1] CRUD base patterns documentation and examples
|
||||
- [ ] [P1] Environment and deployment runbook docs (dev/staging/production)
|
||||
- [ ] [P2] API and domain glossary pages
|
||||
@@ -92,6 +97,8 @@ This file is the single source of truth for roadmap and delivery progress.
|
||||
- [ ] [P1] Media enrichment metadata (alt text, copyright, author, source, tags)
|
||||
- [ ] [P1] Media refinement for artworks (medium, dimensions, year, framing, availability)
|
||||
- [ ] [P1] Users management (invite, roles, status)
|
||||
- [ ] [P1] Disable/ban user function and enforcement in auth/session checks
|
||||
- [ ] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
|
||||
- [ ] [P1] Commissions management (request intake, owner, due date, notes)
|
||||
- [ ] [P1] Kanban workflow for commissions (new, scoped, in-progress, review, done)
|
||||
- [ ] [P1] Header banner management (message, CTA, active window)
|
||||
@@ -116,6 +123,8 @@ This file is the single source of truth for roadmap and delivery progress.
|
||||
|
||||
- [ ] [P1] Unit tests for content schemas and service logic
|
||||
- [ ] [P1] Component tests for admin forms (pages/media/navigation)
|
||||
- [ ] [P1] Integration tests for owner invariant and hidden support-user protection
|
||||
- [ ] [P1] Integration tests for registration allow/deny behavior
|
||||
- [ ] [P1] E2E happy paths: create page, publish, see on public app
|
||||
- [ ] [P1] E2E happy paths: media upload + artwork refinement display
|
||||
- [ ] [P1] E2E happy paths: commissions kanban transitions
|
||||
@@ -127,6 +136,9 @@ This file is the single source of truth for roadmap and delivery progress.
|
||||
- [ ] [P1] Audit log for key content operations
|
||||
- [ ] [P2] Revision history for pages/navigation/media metadata
|
||||
- [ ] [P1] Permission matrix refinement with granular scopes
|
||||
- [ ] [P1] Verify email pipeline and operational templates (welcome/verify/resend)
|
||||
- [ ] [P1] Forgot password/reset password pipeline and support tooling
|
||||
- [ ] [P2] GUI page to edit role-permission mappings with safety guardrails
|
||||
- [ ] [P2] Error boundaries and UX fallback states
|
||||
|
||||
### Public App
|
||||
|
||||
Reference in New Issue
Block a user