marcel/familienarchiv
1
0
Fork 0
Code Issues 114 Pull Requests 3 Actions 2 Packages Projects Releases Wiki Activity

feat(routes): add server-side WRITE_ALL guard on write-only routes

Browse Source 
Block direct URL navigation to /persons/new, /documents/new,
/documents/:id/edit for users without WRITE_ALL permission.
E2E tests verify admin user retains access to all write routes.

Closes #17
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-03-20 09:47:52 +01:00
parent fde75f3fcf
commit fa4bfb8e5c
4 changed files with 46 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
frontend/src/routes/persons/new/+page.server.ts
View File

@@ -1,6 +1,11 @@
import { fail, redirect } from '@sveltejs/kit';
import { error, fail, redirect } from '@sveltejs/kit';
import { createApiClient } from '$lib/api.server';
export async function load({ locals }: { locals: App.Locals }) {
const canWrite = locals.user?.groups?.some((g: { permissions: string[] }) => g.permissions.includes('WRITE_ALL')) ?? false;
if (!canWrite) throw error(403, 'Forbidden');
}
export const actions = {
default: async ({ request, fetch }) => {
const formData = await request.formData();