task-l.3
This commit is contained in:
37
docs/implementation/task-l3-full-crm-scope-enforcement.md
Normal file
37
docs/implementation/task-l3-full-crm-scope-enforcement.md
Normal file
@@ -0,0 +1,37 @@
|
||||
# Task L.3: Full CRM Scope Enforcement
|
||||
|
||||
## Summary
|
||||
|
||||
Task L.3 starts hardening CRM security around resolved CRM access instead of relying on route-level permissions or legacy role strings alone.
|
||||
|
||||
## Implemented in this pass
|
||||
|
||||
- Added centralized CRM security helpers in `src/features/crm/security/server/service.ts`
|
||||
- Added `canViewQuotationPricing()` guard for pricing-bearing quotation outputs
|
||||
- Applied pricing enforcement to:
|
||||
- document data
|
||||
- document preview
|
||||
- PDF preview
|
||||
- PDF download
|
||||
- approved PDF
|
||||
- approved quotation artifact download
|
||||
- Switched dashboard revenue visibility to pricing visibility instead of broad quotation-read semantics
|
||||
- Blocked revenue dashboard export when pricing visibility is missing
|
||||
- Updated quotation list/detail/create/update/delete routes to pass resolved CRM scope context
|
||||
- Added quotation service-side branch/product/own-scope enforcement
|
||||
- Updated approval step actor validation to use resolved CRM role unions
|
||||
- Added `crm_security_access` audit events for pricing-denied flows
|
||||
- Added security inventory and boundary documentation
|
||||
- Added `scripts/security/verify-crm-access.ts`
|
||||
|
||||
## Remaining gaps
|
||||
|
||||
- Customers and contacts still need full ownership-scope enforcement
|
||||
- Approval list/detail visibility is still broader than the final resolved-quotation scope
|
||||
- Team-scope semantics remain approximate until the domain has a first-class team/subordinate model
|
||||
- Runtime seeded scenario verification is still needed beyond the current static regression script
|
||||
|
||||
## Verification
|
||||
|
||||
- `npx tsc --noEmit`
|
||||
- `node --experimental-strip-types scripts/security/verify-crm-access.ts`
|
||||
@@ -398,3 +398,35 @@ Future:
|
||||
|
||||
- decide which non-revenue widgets should fully honor project-party role filtering
|
||||
- add a unified filtered reporting projection if cross-widget party-role filtering becomes a hard requirement
|
||||
|
||||
## After Task L.3
|
||||
|
||||
### Customer and contact ownership enforcement
|
||||
|
||||
Current:
|
||||
Customer/contact modules are still more organization-wide than quotation security and need the same resolved ownership model applied consistently.
|
||||
|
||||
Future:
|
||||
|
||||
- add resolved CRM access context to every customer/contact service path
|
||||
- enforce shared-contact visibility without falling back to blanket organization reads
|
||||
|
||||
### Approval visibility scoping
|
||||
|
||||
Current:
|
||||
Approval step handling now resolves multi-role actors correctly, but approval list/detail visibility is still broader than final quotation-scoped security.
|
||||
|
||||
Future:
|
||||
|
||||
- scope approval requests by accessible entity visibility, not organization membership alone
|
||||
- align dashboard approval widgets and approval detail pages with the same rule
|
||||
|
||||
### Team-scope fidelity
|
||||
|
||||
Current:
|
||||
Resolved CRM access supports `team`, but the domain still lacks a first-class subordinate/team graph for precise enforcement.
|
||||
|
||||
Future:
|
||||
|
||||
- define the canonical team relationship source
|
||||
- replace current coarse team handling with explicit team membership or manager hierarchy logic
|
||||
|
||||
Reference in New Issue
Block a user