| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 |
- /**
- * UI-side RBAC decision helpers for branch-based routes (RHL-021).
- *
- * This module is pure (no React / no Next runtime).
- * The UI can use it to decide whether a user may access a given `:branch` segment.
- */
- import { isAdminLike as isAdminLikeRole } from "@/lib/frontend/auth/roles";
- /**
- * @typedef {Object} AuthUser
- * @property {string} userId
- * @property {string} role
- * @property {string|null} branchId
- */
- export const BRANCH_ACCESS = Object.freeze({
- ALLOWED: "allowed",
- FORBIDDEN: "forbidden",
- });
- /**
- * Decide whether the given user can access a route branch.
- *
- * Rules:
- * - role "branch": only allowed when routeBranch === user.branchId
- * - roles admin-like (admin/superadmin/dev): allowed for any route branch
- * - unknown roles or missing required data: forbidden
- *
- * @param {AuthUser|null} user
- * @param {string} routeBranch
- * @returns {"allowed"|"forbidden"}
- */
- export function getBranchAccess(user, routeBranch) {
- if (!user || typeof routeBranch !== "string" || !routeBranch) {
- return BRANCH_ACCESS.FORBIDDEN;
- }
- if (user.role === "branch") {
- return user.branchId === routeBranch
- ? BRANCH_ACCESS.ALLOWED
- : BRANCH_ACCESS.FORBIDDEN;
- }
- if (isAdminLikeRole(user.role)) {
- return BRANCH_ACCESS.ALLOWED;
- }
- return BRANCH_ACCESS.FORBIDDEN;
- }
|
