layout access admin and manager

apps/backend/src/application/controllers/users.controller.ts

@@ -164,9 +164,10 @@ export class UsersController {
    * Get user by ID
    */
   @Get(':id')
+  @Roles('admin', 'manager')
   @ApiOperation({
     summary: 'Get user by ID',
-    description: 'Retrieve user details. Users can view users in their org, admins can view any.',
+    description: 'Retrieve user details. Only ADMIN and MANAGER can access this endpoint.',
   })
   @ApiParam({
     name: 'id',
@@ -324,10 +325,11 @@ export class UsersController {
    * List users in organization
    */
   @Get()
+  @Roles('admin', 'manager')
   @ApiOperation({
     summary: 'List users',
     description:
-      'Retrieve a paginated list of users in your organization. Admins can see all users.',
+      'Retrieve a paginated list of users in your organization. Only ADMIN and MANAGER can access this endpoint.',
   })
   @ApiQuery({
     name: 'page',

apps/frontend/app/dashboard/layout.tsx

@@ -24,7 +24,10 @@ export default function DashboardLayout({ children }: { children: React.ReactNod
     { name: 'Search Rates', href: '/dashboard/search-advanced', icon: '🔎' },
     { name: 'My Profile', href: '/dashboard/profile', icon: '👤' },
     { name: 'Organization', href: '/dashboard/settings/organization', icon: '🏢' },
-    { name: 'Users', href: '/dashboard/settings/users', icon: '👥' },
+    // ADMIN and MANAGER only navigation items
+    ...(user?.role === 'ADMIN' || user?.role === 'MANAGER' ? [
+      { name: 'Users', href: '/dashboard/settings/users', icon: '👥' },
+    ] : []),
     // ADMIN only navigation items
     ...(user?.role === 'ADMIN' ? [
       { name: 'CSV Rates', href: '/dashboard/admin/csv-rates', icon: '📄' },

apps/frontend/app/dashboard/settings/users/page.tsx

@@ -6,13 +6,15 @@
 
 'use client';
 
-import { useState } from 'react';
+import { useState, useEffect } from 'react';
+import { useRouter } from 'next/navigation';
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
 import { listUsers, updateUser, deleteUser } from '@/lib/api';
 import { createInvitation } from '@/lib/api/invitations';
 import { useAuth } from '@/lib/context/auth-context';
 
 export default function UsersManagementPage() {
+  const router = useRouter();
   const queryClient = useQueryClient();
   const { user: currentUser } = useAuth();
   const [showInviteModal, setShowInviteModal] = useState(false);
@@ -100,6 +102,22 @@ export default function UsersManagementPage() {
     },
   });
 
+  // Restrict access to ADMIN and MANAGER only
+  useEffect(() => {
+    if (currentUser && currentUser.role !== 'ADMIN' && currentUser.role !== 'MANAGER') {
+      router.push('/dashboard');
+    }
+  }, [currentUser, router]);
+
+  // Don't render until we've checked permissions
+  if (!currentUser || (currentUser.role !== 'ADMIN' && currentUser.role !== 'MANAGER')) {
+    return (
+      <div className="flex items-center justify-center min-h-screen">
+        <div className="animate-spin rounded-full h-12 w-12 border-b-2 border-blue-600"></div>
+      </div>
+    );
+  }
+
   const handleInvite = (e: React.FormEvent) => {
     e.preventDefault();
     setError('');