| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748 |
- /**
- * UI-side RBAC decision helpers for branch-based routes (RHL-021).
- *
- * This module is pure (no React / no Next runtime).
- * The UI can use it to decide whether a user may access a given `:branch` segment.
- */
- /**
- * @typedef {Object} AuthUser
- * @property {string} userId
- * @property {string} role
- * @property {string|null} branchId
- */
- export const BRANCH_ACCESS = Object.freeze({
- ALLOWED: "allowed",
- FORBIDDEN: "forbidden",
- });
- /**
- * Decide whether the given user can access a route branch.
- *
- * Rules:
- * - role "branch": only allowed when routeBranch === user.branchId
- * - role "admin" / "dev": allowed for any route branch
- * - unknown roles or missing required data: forbidden
- *
- * @param {AuthUser|null} user
- * @param {string} routeBranch
- * @returns {"allowed"|"forbidden"}
- */
- export function getBranchAccess(user, routeBranch) {
- if (!user || typeof routeBranch !== "string" || !routeBranch) {
- return BRANCH_ACCESS.FORBIDDEN;
- }
- if (user.role === "branch") {
- return user.branchId === routeBranch
- ? BRANCH_ACCESS.ALLOWED
- : BRANCH_ACCESS.FORBIDDEN;
- }
- if (user.role === "admin" || user.role === "dev") {
- return BRANCH_ACCESS.ALLOWED;
- }
- return BRANCH_ACCESS.FORBIDDEN;
- }
|
