3.0 KiB
You are a Senior Full Stack Engineer.
Project: Training Management System (TMS)
Current task: Update sidebar permission for User Management menu.
Requirement: The menu "พนักงาน" that represents User Management / login accounts must be visible only to Admin IT role.
Important constraints:
- Do NOT delete the User Management route.
- Do NOT delete APIs.
- Do NOT change database schema.
- Do NOT affect Employee Directory menu.
- Keep Thai UI.
- Minimal-impact changes only.
Business Rule:
- Menu: พนักงาน Purpose:
- User Management
- Login accounts
- Role
- Provider
- Keycloak mapping
Visible only to:
- admin_it
- IT Admin
- super_admin if currently used as highest role
Not visible to:
- HRD/Admin
- Employee/User
- Menu: รายชื่อพนักงานทั้งหมด Purpose:
- Employee Master
- Training hours
- Training history
Visible to:
- HRD/Admin
- Admin IT if allowed
- super_admin if used
- Direct URL protection:
For User Management route:
- /dashboard/users
- /dashboard/users/*
- related user management APIs
Only Admin IT / super_admin can access.
HRD/Admin direct URL access should be blocked:
- 403 Forbidden or
- redirect to dashboard
- Sidebar:
Under ข้อมูลหลัก:
For Admin IT:
- พนักงาน
- รายชื่อพนักงานทั้งหมด
- หลักสูตร
- นโยบาย
- ประกาศ
For HRD/Admin:
- รายชื่อพนักงานทั้งหมด
- หลักสูตร
- นโยบาย
- ประกาศ
For Employee:
- should not see ข้อมูลหลัก unless already allowed by current design
- Files likely involved:
- src/config/nav-config.ts
- src/lib/auth/session.ts
- src/lib/auth/permissions.ts
- src/app/dashboard/users/page.tsx
- src/app/dashboard/users/[id]/page.tsx
- src/app/api/users/route.ts
- src/app/api/users/[id]/route.ts
- src/components/layout/app-sidebar.tsx
- Add or reuse helper:
requireITAdmin() or requireUserManagementAccess()
Recommended:
function requireUserManagementAccess() { allow roles:
- super_admin
- admin_it }
Do not allow HRD admin.
- Output Review File
Create: docs/management-change-user-management-it-admin-only-review.md
Include:
- Summary
- Files Changed
- Navigation Changes
- Permission Rules
- Route Protection
- API Protection
- Manual Test Checklist
- Known Limitations
Manual Test Checklist:
- Admin IT sees พนักงาน menu.
- HRD/Admin does not see พนักงาน menu.
- Employee does not see พนักงาน menu.
- HRD/Admin still sees รายชื่อพนักงานทั้งหมด.
- Admin IT can open /dashboard/users.
- HRD/Admin cannot open /dashboard/users by direct URL.
- Employee cannot open /dashboard/users by direct URL.
- User management APIs reject HRD/Admin.
- Employee Directory is not affected.
- Other menus still work.
Return:
- Complete code changes with file paths.
- Content of docs/management-change-user-management-it-admin-only-review.md.