64 lines
2.8 KiB
Markdown
64 lines
2.8 KiB
Markdown
# User Management IT Admin Only Review
|
|
|
|
## 1. Summary
|
|
|
|
Updated User Management access so the `พนักงาน` menu and related `/dashboard/users` + `/api/users*` endpoints are available only to IT admin access (`IT` business role and `super_admin` via existing role mapping). HRD/Admin keeps access to `รายชื่อพนักงานทั้งหมด` and the rest of the master-data menu.
|
|
|
|
## 2. Files Changed
|
|
|
|
- `src/config/nav-config.ts`
|
|
- `src/types/index.ts`
|
|
- `src/hooks/use-nav.ts`
|
|
- `src/lib/auth/roles.ts`
|
|
- `src/lib/auth/session.ts`
|
|
- `src/lib/auth/page-guards.ts`
|
|
- `src/app/dashboard/users/page.tsx`
|
|
- `src/app/api/users/route.ts`
|
|
- `src/app/api/users/[id]/route.ts`
|
|
- `src/features/users/server/user-data.ts`
|
|
- `src/features/users/info-content.ts`
|
|
|
|
## 3. Navigation Changes
|
|
|
|
- Added support for `businessRoles` in nav access rules.
|
|
- Changed `พนักงาน` under `ข้อมูลหลัก` to visible only for `IT`.
|
|
- Kept `รายชื่อพนักงานทั้งหมด`, `หลักสูตร`, `นโยบาย`, and `ประกาศ` visible for both `HRD` and `IT`.
|
|
- Updated nav filtering so parent items with no visible children are hidden instead of leaving a stray direct link.
|
|
|
|
## 4. Permission Rules
|
|
|
|
- Added `requireUserManagementAccess()` as the shared access gate for user-management features.
|
|
- Changed `canManageUsers()` to allow only IT user-management access instead of any organizer admin.
|
|
- Existing `super_admin` behavior is preserved because the current business-role mapping resolves `super_admin` to `IT`.
|
|
|
|
## 5. Route Protection
|
|
|
|
- `/dashboard/users` now uses `requireUserManagementDashboardAccess()`.
|
|
- Unauthorized users are redirected using the existing dashboard guard behavior.
|
|
|
|
## 6. API Protection
|
|
|
|
- `/api/users`
|
|
- `/api/users/[id]`
|
|
|
|
Both routes now require `requireUserManagementAccess()` before any list, options, create, update, or deactivate action.
|
|
|
|
## 7. Manual Test Checklist
|
|
|
|
- Admin IT sees `พนักงาน` menu.
|
|
- HRD/Admin does not see `พนักงาน` menu.
|
|
- Employee does not see `พนักงาน` menu.
|
|
- HRD/Admin still sees `รายชื่อพนักงานทั้งหมด`.
|
|
- Admin IT can open `/dashboard/users`.
|
|
- HRD/Admin cannot open `/dashboard/users` by direct URL.
|
|
- Employee cannot open `/dashboard/users` by direct URL.
|
|
- User management APIs reject HRD/Admin.
|
|
- Employee Directory is not affected.
|
|
- Other menus still work.
|
|
|
|
## 8. Known Limitations
|
|
|
|
- This change assumes the current role mapping remains: `super_admin` => `IT`, organizer admin => `HRD`, member => `EMPLOYEE`.
|
|
- There is no dedicated `admin_it` database field yet; access still relies on the existing derived business-role model.
|
|
- Only the current `/dashboard/users` page exists in App Router right now, so no additional `/dashboard/users/[id]` page update was needed.
|