Major expansion: HR module, CRM, integrations, packages, validation pipeline
Validate / validate (push) Successful in 34s
Validate / validate (push) Successful in 34s
HR module: - Multi-role per company (admin/manager/user/viewer/hr orthogonal) - Employees with salary history, terminate/reactivate - Per-company public holidays (seeded from ppraserts/thailand-open-data with manual fallback for unsupported years) - Leave types (editable defaults), leave requests with approve/reject - Per-employee leave balances (auto-seeded), remaining-days hint on request form, HR balance summary on requests page - Thai-compliant payroll: SSO 5% capped, PND1 brackets, monthly WHT - Payslip generation with editable line items, finalize/mark-paid, pdf-lib PDF download - CSV export of leave per employee or company-wide CRM & invoicing: - Customer/supplier party database with archive - Invoice line items, VAT 7%, status transitions, PDF generation - Outgoing/incoming direction; incoming auto-creates linked expense Package tracking: - packages + package_events + shipping_accounts tables - 8 carrier stubs (UPS/FedEx/DHL/USPS/Flash Express/Kerry/J&T/TH Post) with API doc references for future implementation - Manual status updates with timeline - Customs duty invoice flow on delivery - Per-company carrier credentials (admin only) Integrations scaffold: - external_accounts + external_transactions (Kasikorn K-Biz, Ether.fi) - Manual transaction matching to expenses Infrastructure: - APP_NAME env var for branding - Soft-delete for companies and parties - Light/dark mode toggle, dark-mode classes throughout - pre-push hook (husky) + Gitea/GitHub Actions running svelte-check with --threshold warning + vite build - npm run validate combines both checks Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -19,41 +19,89 @@ export function requireSystemAdmin(locals: App.Locals): NonNullable<App.Locals['
|
||||
return user;
|
||||
}
|
||||
|
||||
export async function getCompanyRole(
|
||||
export async function getCompanyRoles(
|
||||
userId: string,
|
||||
companyId: string
|
||||
): Promise<CompanyRole | null> {
|
||||
): Promise<CompanyRole[] | null> {
|
||||
const result = await db
|
||||
.select({ role: companyMembers.role })
|
||||
.select({ roles: companyMembers.roles })
|
||||
.from(companyMembers)
|
||||
.where(and(eq(companyMembers.userId, userId), eq(companyMembers.companyId, companyId)))
|
||||
.limit(1);
|
||||
|
||||
if (result.length === 0) return null;
|
||||
return result[0].role;
|
||||
return result[0].roles as CompanyRole[];
|
||||
}
|
||||
|
||||
/** Does the role set include the target role? */
|
||||
export function hasRole(roles: CompanyRole[], target: CompanyRole): boolean {
|
||||
return roles.includes(target);
|
||||
}
|
||||
|
||||
/** Does any hierarchical role in the set meet or exceed the minimum rank? `hr` does not count. */
|
||||
export function meetsMinRole(roles: CompanyRole[], min: Exclude<CompanyRole, 'hr'>): boolean {
|
||||
const minRank = ROLE_HIERARCHY[min];
|
||||
for (const r of roles) {
|
||||
if (r === 'hr') continue;
|
||||
const rank = ROLE_HIERARCHY[r as Exclude<CompanyRole, 'hr'>];
|
||||
if (rank >= minRank) return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensure the caller meets the minimum hierarchical role (admin>manager>user>viewer).
|
||||
* System admins bypass. Returns the caller's full role set.
|
||||
*/
|
||||
export async function requireCompanyRole(
|
||||
locals: App.Locals,
|
||||
companyId: string,
|
||||
minRole: CompanyRole
|
||||
): Promise<{ user: NonNullable<App.Locals['user']>; role: CompanyRole }> {
|
||||
minRole: Exclude<CompanyRole, 'hr'>
|
||||
): Promise<{ user: NonNullable<App.Locals['user']>; roles: CompanyRole[] }> {
|
||||
const user = requireAuth(locals);
|
||||
|
||||
// System admins bypass company role checks
|
||||
if (user.isSystemAdmin) {
|
||||
return { user, role: 'admin' };
|
||||
return { user, roles: ['admin'] };
|
||||
}
|
||||
|
||||
const role = await getCompanyRole(user.id, companyId);
|
||||
const roles = await getCompanyRoles(user.id, companyId);
|
||||
|
||||
if (!role) {
|
||||
if (!roles || roles.length === 0) {
|
||||
error(403, 'Not a member of this company');
|
||||
}
|
||||
|
||||
if (ROLE_HIERARCHY[role] < ROLE_HIERARCHY[minRole]) {
|
||||
if (!meetsMinRole(roles, minRole)) {
|
||||
error(403, `Requires ${minRole} role or higher`);
|
||||
}
|
||||
|
||||
return { user, role };
|
||||
return { user, roles };
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensure the caller has ANY of the listed roles. Useful for orthogonal roles like `hr`.
|
||||
* System admins bypass.
|
||||
*/
|
||||
export async function requireCompanyRoleAny(
|
||||
locals: App.Locals,
|
||||
companyId: string,
|
||||
anyOf: CompanyRole[]
|
||||
): Promise<{ user: NonNullable<App.Locals['user']>; roles: CompanyRole[] }> {
|
||||
const user = requireAuth(locals);
|
||||
|
||||
if (user.isSystemAdmin) {
|
||||
return { user, roles: ['admin'] };
|
||||
}
|
||||
|
||||
const roles = await getCompanyRoles(user.id, companyId);
|
||||
|
||||
if (!roles || roles.length === 0) {
|
||||
error(403, 'Not a member of this company');
|
||||
}
|
||||
|
||||
const has = roles.some((r) => anyOf.includes(r));
|
||||
if (!has) {
|
||||
error(403, `Requires one of: ${anyOf.join(', ')}`);
|
||||
}
|
||||
|
||||
return { user, roles };
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user