layout access admin and manager

2025-11-30 13:48:04 +01:00 · 2025-11-30 13:48:04 +01:00 · 591213aaf7
commit 591213aaf7
parent cca6eda9d3
3 changed files with 27 additions and 4 deletions
--- a/apps/backend/src/application/controllers/users.controller.ts
+++ b/apps/backend/src/application/controllers/users.controller.ts
@ -164,9 +164,10 @@ export class UsersController {
   * Get user by ID
   */
  @Get(':id')
+  @Roles('admin', 'manager')
  @ApiOperation({
    summary: 'Get user by ID',
-    description: 'Retrieve user details. Users can view users in their org, admins can view any.',
+    description: 'Retrieve user details. Only ADMIN and MANAGER can access this endpoint.',
  })
  @ApiParam({
    name: 'id',
@ -324,10 +325,11 @@ export class UsersController {
   * List users in organization
   */
  @Get()
+  @Roles('admin', 'manager')
  @ApiOperation({
    summary: 'List users',
    description:
-      'Retrieve a paginated list of users in your organization. Admins can see all users.',
+      'Retrieve a paginated list of users in your organization. Only ADMIN and MANAGER can access this endpoint.',
  })
  @ApiQuery({
    name: 'page',
--- a/apps/frontend/app/dashboard/layout.tsx
+++ b/apps/frontend/app/dashboard/layout.tsx
@ -24,7 +24,10 @@ export default function DashboardLayout({ children }: { children: React.ReactNod
    { name: 'Search Rates', href: '/dashboard/search-advanced', icon: '🔎' },
    { name: 'My Profile', href: '/dashboard/profile', icon: '👤' },
    { name: 'Organization', href: '/dashboard/settings/organization', icon: '🏢' },
+    // ADMIN and MANAGER only navigation items
+    ...(user?.role === 'ADMIN' || user?.role === 'MANAGER' ? [
      { name: 'Users', href: '/dashboard/settings/users', icon: '👥' },
+    ] : []),
    // ADMIN only navigation items
    ...(user?.role === 'ADMIN' ? [
      { name: 'CSV Rates', href: '/dashboard/admin/csv-rates', icon: '📄' },
--- a/apps/frontend/app/dashboard/settings/users/page.tsx
+++ b/apps/frontend/app/dashboard/settings/users/page.tsx
@ -6,13 +6,15 @@

 'use client';

-import { useState } from 'react';
+import { useState, useEffect } from 'react';
+import { useRouter } from 'next/navigation';
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
 import { listUsers, updateUser, deleteUser } from '@/lib/api';
 import { createInvitation } from '@/lib/api/invitations';
 import { useAuth } from '@/lib/context/auth-context';

 export default function UsersManagementPage() {
+  const router = useRouter();
  const queryClient = useQueryClient();
  const { user: currentUser } = useAuth();
  const [showInviteModal, setShowInviteModal] = useState(false);
@ -100,6 +102,22 @@ export default function UsersManagementPage() {
    },
  });

+  // Restrict access to ADMIN and MANAGER only
+  useEffect(() => {
+    if (currentUser && currentUser.role !== 'ADMIN' && currentUser.role !== 'MANAGER') {
+      router.push('/dashboard');
+    }
+  }, [currentUser, router]);
+
+  // Don't render until we've checked permissions
+  if (!currentUser || (currentUser.role !== 'ADMIN' && currentUser.role !== 'MANAGER')) {
+    return (
+      <div className="flex items-center justify-center min-h-screen">
+        <div className="animate-spin rounded-full h-12 w-12 border-b-2 border-blue-600"></div>
+      </div>
+    );
+  }
+
  const handleInvite = (e: React.FormEvent) => {
    e.preventDefault();
    setError('');