Files
alla-tms/plans/change-user-management-it-admin-only.md
2026-07-16 09:53:14 +07:00

3.0 KiB

You are a Senior Full Stack Engineer.

Project: Training Management System (TMS)

Current task: Update sidebar permission for User Management menu.

Requirement: The menu "พนักงาน" that represents User Management / login accounts must be visible only to Admin IT role.

Important constraints:

  • Do NOT delete the User Management route.
  • Do NOT delete APIs.
  • Do NOT change database schema.
  • Do NOT affect Employee Directory menu.
  • Keep Thai UI.
  • Minimal-impact changes only.

Business Rule:

  1. Menu: พนักงาน Purpose:
  • User Management
  • Login accounts
  • Role
  • Provider
  • Keycloak mapping

Visible only to:

  • admin_it
  • IT Admin
  • super_admin if currently used as highest role

Not visible to:

  • HRD/Admin
  • Employee/User
  1. Menu: รายชื่อพนักงานทั้งหมด Purpose:
  • Employee Master
  • Training hours
  • Training history

Visible to:

  • HRD/Admin
  • Admin IT if allowed
  • super_admin if used
  1. Direct URL protection:

For User Management route:

  • /dashboard/users
  • /dashboard/users/*
  • related user management APIs

Only Admin IT / super_admin can access.

HRD/Admin direct URL access should be blocked:

  • 403 Forbidden or
  • redirect to dashboard
  1. Sidebar:

Under ข้อมูลหลัก:

For Admin IT:

  • พนักงาน
  • รายชื่อพนักงานทั้งหมด
  • หลักสูตร
  • นโยบาย
  • ประกาศ

For HRD/Admin:

  • รายชื่อพนักงานทั้งหมด
  • หลักสูตร
  • นโยบาย
  • ประกาศ

For Employee:

  • should not see ข้อมูลหลัก unless already allowed by current design
  1. Files likely involved:
  • src/config/nav-config.ts
  • src/lib/auth/session.ts
  • src/lib/auth/permissions.ts
  • src/app/dashboard/users/page.tsx
  • src/app/dashboard/users/[id]/page.tsx
  • src/app/api/users/route.ts
  • src/app/api/users/[id]/route.ts
  • src/components/layout/app-sidebar.tsx
  1. Add or reuse helper:

requireITAdmin() or requireUserManagementAccess()

Recommended:

function requireUserManagementAccess() { allow roles:

  • super_admin
  • admin_it }

Do not allow HRD admin.

  1. Output Review File

Create: docs/management-change-user-management-it-admin-only-review.md

Include:

  1. Summary
  2. Files Changed
  3. Navigation Changes
  4. Permission Rules
  5. Route Protection
  6. API Protection
  7. Manual Test Checklist
  8. Known Limitations

Manual Test Checklist:

  • Admin IT sees พนักงาน menu.
  • HRD/Admin does not see พนักงาน menu.
  • Employee does not see พนักงาน menu.
  • HRD/Admin still sees รายชื่อพนักงานทั้งหมด.
  • Admin IT can open /dashboard/users.
  • HRD/Admin cannot open /dashboard/users by direct URL.
  • Employee cannot open /dashboard/users by direct URL.
  • User management APIs reject HRD/Admin.
  • Employee Directory is not affected.
  • Other menus still work.

Return:

  • Complete code changes with file paths.
  • Content of docs/management-change-user-management-it-admin-only-review.md.