feat(rbac): enforce admin access checks and document permission model

2026-02-10 12:16:36 +01:00
parent 4041a4ac4a
commit 947cb0a3d7
13 changed files with 458 additions and 8 deletions
--- a/apps/admin/src/app/todo/page.tsx
+++ b/apps/admin/src/app/todo/page.tsx
@@ -1,6 +1,10 @@
 import { readFile } from "node:fs/promises"
 import path from "node:path"
+import { hasPermission } from "@cms/content/rbac"
 import Link from "next/link"
+import { redirect } from "next/navigation"
+
+import { resolveRoleFromServerContext } from "@/lib/access"

 export const dynamic = "force-dynamic"

@@ -401,6 +405,12 @@ function filterButtonClass(active: boolean): string {
 export default async function AdminTodoPage(props: {
  searchParams?: SearchParamsInput | Promise<SearchParamsInput>
 }) {
+  const role = await resolveRoleFromServerContext()
+
+  if (!role || !hasPermission(role, "roadmap:read", "global")) {
+    redirect("/unauthorized?required=roadmap:read&scope=global")
+  }
+
  const content = await getTodoMarkdown()
  const sections = parseTodo(content)
  const progress = getProgressCounts(sections)