marcel/familienarchiv
1
0
Fork 0
Code Issues 110 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

docs(permissions): note requireWriteAll can replace the inline guard elsewhere
Some checks failed
CI / Semgrep Security Scan (pull_request) Successful in 25s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 1m6s
Details
SDD Gate / RTM Check (pull_request) Successful in 14s
Details
SDD Gate / Contract Validate (pull_request) Successful in 23s
Details
SDD Gate / Constitution Impact (pull_request) Successful in 21s
Details
CI / Unit & Component Tests (pull_request) Failing after 3m19s
Details
CI / OCR Service Tests (pull_request) Successful in 22s
Details
CI / Backend Unit Tests (pull_request) Successful in 4m49s
Details
CI / fail2ban Regex (pull_request) Successful in 47s
Details

Browse Source 
Architect/Developer review suggestion: flag that other WRITE_ALL-gated author
loads (e.g. documents/[id]/edit) still inline the throw-403 guard and can adopt
requireWriteAll so it doesn't diverge. Comment-only.

Addresses PR #832 review (Architect suggestion).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-06-14 00:33:38 +02:00
parent d48a89ba5c
commit 719274ef88
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
frontend/src/lib/shared/server/permissions.ts
View File

@@ -20,6 +20,10 @@ export function hasWriteAll(locals: PermissionLocals): boolean {
* — `hasWriteAll` returns false for a null user, so a single check covers both * — `hasWriteAll` returns false for a null user, so a single check covers both
* the unauthenticated and the under-privileged case. Server-side gate; the * the unauthenticated and the under-privileged case. Server-side gate; the
* frontend canWrite flag only hides entry-point buttons. * frontend canWrite flag only hides entry-point buttons.
*
* Other WRITE_ALL-gated author loads (e.g. `documents/[id]/edit`) still inline
* `if (!hasWriteAll(locals)) throw error(403)` — they can adopt this helper so
* the guard doesn't quietly diverge across routes.
*/ */
export function requireWriteAll(locals: PermissionLocals): void { export function requireWriteAll(locals: PermissionLocals): void {
if (!hasWriteAll(locals)) throw error(403, 'Forbidden'); if (!hasWriteAll(locals)) throw error(403, 'Forbidden');