156 lines
3.0 KiB
Markdown
156 lines
3.0 KiB
Markdown
You are a Senior Full Stack Engineer.
|
|
|
|
Project:
|
|
Training Management System (TMS)
|
|
|
|
Current task:
|
|
Update sidebar permission for User Management menu.
|
|
|
|
Requirement:
|
|
The menu "พนักงาน" that represents User Management / login accounts must be visible only to Admin IT role.
|
|
|
|
Important constraints:
|
|
|
|
- Do NOT delete the User Management route.
|
|
- Do NOT delete APIs.
|
|
- Do NOT change database schema.
|
|
- Do NOT affect Employee Directory menu.
|
|
- Keep Thai UI.
|
|
- Minimal-impact changes only.
|
|
|
|
Business Rule:
|
|
|
|
1. Menu: พนักงาน
|
|
Purpose:
|
|
|
|
- User Management
|
|
- Login accounts
|
|
- Role
|
|
- Provider
|
|
- Keycloak mapping
|
|
|
|
Visible only to:
|
|
|
|
- admin_it
|
|
- IT Admin
|
|
- super_admin if currently used as highest role
|
|
|
|
Not visible to:
|
|
|
|
- HRD/Admin
|
|
- Employee/User
|
|
|
|
2. Menu: รายชื่อพนักงานทั้งหมด
|
|
Purpose:
|
|
|
|
- Employee Master
|
|
- Training hours
|
|
- Training history
|
|
|
|
Visible to:
|
|
|
|
- HRD/Admin
|
|
- Admin IT if allowed
|
|
- super_admin if used
|
|
|
|
3. Direct URL protection:
|
|
|
|
For User Management route:
|
|
|
|
- /dashboard/users
|
|
- /dashboard/users/\*
|
|
- related user management APIs
|
|
|
|
Only Admin IT / super_admin can access.
|
|
|
|
HRD/Admin direct URL access should be blocked:
|
|
|
|
- 403 Forbidden
|
|
or
|
|
- redirect to dashboard
|
|
|
|
4. Sidebar:
|
|
|
|
Under ข้อมูลหลัก:
|
|
|
|
For Admin IT:
|
|
|
|
- พนักงาน
|
|
- รายชื่อพนักงานทั้งหมด
|
|
- หลักสูตร
|
|
- นโยบาย
|
|
- ประกาศ
|
|
|
|
For HRD/Admin:
|
|
|
|
- รายชื่อพนักงานทั้งหมด
|
|
- หลักสูตร
|
|
- นโยบาย
|
|
- ประกาศ
|
|
|
|
For Employee:
|
|
|
|
- should not see ข้อมูลหลัก unless already allowed by current design
|
|
|
|
5. Files likely involved:
|
|
|
|
- src/config/nav-config.ts
|
|
- src/lib/auth/session.ts
|
|
- src/lib/auth/permissions.ts
|
|
- src/app/dashboard/users/page.tsx
|
|
- src/app/dashboard/users/[id]/page.tsx
|
|
- src/app/api/users/route.ts
|
|
- src/app/api/users/[id]/route.ts
|
|
- src/components/layout/app-sidebar.tsx
|
|
|
|
6. Add or reuse helper:
|
|
|
|
requireITAdmin()
|
|
or
|
|
requireUserManagementAccess()
|
|
|
|
Recommended:
|
|
|
|
function requireUserManagementAccess() {
|
|
allow roles:
|
|
|
|
- super_admin
|
|
- admin_it
|
|
}
|
|
|
|
Do not allow HRD admin.
|
|
|
|
7. Output Review File
|
|
|
|
Create:
|
|
docs/management-change-user-management-it-admin-only-review.md
|
|
|
|
Include:
|
|
|
|
1. Summary
|
|
2. Files Changed
|
|
3. Navigation Changes
|
|
4. Permission Rules
|
|
5. Route Protection
|
|
6. API Protection
|
|
7. Manual Test Checklist
|
|
8. Known Limitations
|
|
|
|
Manual Test Checklist:
|
|
|
|
- Admin IT sees พนักงาน menu.
|
|
- HRD/Admin does not see พนักงาน menu.
|
|
- Employee does not see พนักงาน menu.
|
|
- HRD/Admin still sees รายชื่อพนักงานทั้งหมด.
|
|
- Admin IT can open /dashboard/users.
|
|
- HRD/Admin cannot open /dashboard/users by direct URL.
|
|
- Employee cannot open /dashboard/users by direct URL.
|
|
- User management APIs reject HRD/Admin.
|
|
- Employee Directory is not affected.
|
|
- Other menus still work.
|
|
|
|
Return:
|
|
|
|
- Complete code changes with file paths.
|
|
- Content of docs/management-change-user-management-it-admin-only-review.md.
|