Files
alla-tms/plans/change-user-management-it-admin-only.md
2026-07-16 09:53:14 +07:00

156 lines
3.0 KiB
Markdown

You are a Senior Full Stack Engineer.
Project:
Training Management System (TMS)
Current task:
Update sidebar permission for User Management menu.
Requirement:
The menu "พนักงาน" that represents User Management / login accounts must be visible only to Admin IT role.
Important constraints:
- Do NOT delete the User Management route.
- Do NOT delete APIs.
- Do NOT change database schema.
- Do NOT affect Employee Directory menu.
- Keep Thai UI.
- Minimal-impact changes only.
Business Rule:
1. Menu: พนักงาน
Purpose:
- User Management
- Login accounts
- Role
- Provider
- Keycloak mapping
Visible only to:
- admin_it
- IT Admin
- super_admin if currently used as highest role
Not visible to:
- HRD/Admin
- Employee/User
2. Menu: รายชื่อพนักงานทั้งหมด
Purpose:
- Employee Master
- Training hours
- Training history
Visible to:
- HRD/Admin
- Admin IT if allowed
- super_admin if used
3. Direct URL protection:
For User Management route:
- /dashboard/users
- /dashboard/users/\*
- related user management APIs
Only Admin IT / super_admin can access.
HRD/Admin direct URL access should be blocked:
- 403 Forbidden
or
- redirect to dashboard
4. Sidebar:
Under ข้อมูลหลัก:
For Admin IT:
- พนักงาน
- รายชื่อพนักงานทั้งหมด
- หลักสูตร
- นโยบาย
- ประกาศ
For HRD/Admin:
- รายชื่อพนักงานทั้งหมด
- หลักสูตร
- นโยบาย
- ประกาศ
For Employee:
- should not see ข้อมูลหลัก unless already allowed by current design
5. Files likely involved:
- src/config/nav-config.ts
- src/lib/auth/session.ts
- src/lib/auth/permissions.ts
- src/app/dashboard/users/page.tsx
- src/app/dashboard/users/[id]/page.tsx
- src/app/api/users/route.ts
- src/app/api/users/[id]/route.ts
- src/components/layout/app-sidebar.tsx
6. Add or reuse helper:
requireITAdmin()
or
requireUserManagementAccess()
Recommended:
function requireUserManagementAccess() {
allow roles:
- super_admin
- admin_it
}
Do not allow HRD admin.
7. Output Review File
Create:
docs/management-change-user-management-it-admin-only-review.md
Include:
1. Summary
2. Files Changed
3. Navigation Changes
4. Permission Rules
5. Route Protection
6. API Protection
7. Manual Test Checklist
8. Known Limitations
Manual Test Checklist:
- Admin IT sees พนักงาน menu.
- HRD/Admin does not see พนักงาน menu.
- Employee does not see พนักงาน menu.
- HRD/Admin still sees รายชื่อพนักงานทั้งหมด.
- Admin IT can open /dashboard/users.
- HRD/Admin cannot open /dashboard/users by direct URL.
- Employee cannot open /dashboard/users by direct URL.
- User management APIs reject HRD/Admin.
- Employee Directory is not affected.
- Other menus still work.
Return:
- Complete code changes with file paths.
- Content of docs/management-change-user-management-it-admin-only-review.md.