Fix #27: TeamManager-rosterbeheer, role-escalatie gedicht, escalate-only resync #29
Reference in New Issue
Block a user
Delete Branch "fix/issue-27-teammanager-admin-rules"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #27
Wat dit oplost
updateRule/deleteRulestonden rosterbeheer niet toe (alleen self-update / superuser-delete).rolenaar"admin"patchen. Nieuwe rule: self-update mag álles behalverole(@request.body.role:isset = false); alleen admins beheren rollen en verwijderen leden.ENTRA_ADMIN_EMAILS-allow-list garandeert admin bij elke login, maar demoteert niet meer — anders zou elke UI-promotie bij de volgende login worden teruggedraaid (ADR-004 geamendeerd). Demotie via TeamManager; allow-list-leden demoteer je door ze van de lijst te halen.Uitgerold via migratie
1781000003(Labs) + basis-migratie en setup-script gespiegeld; UI-toelichting bijgewerkt.Verificatie (mock-OIDC met twee identiteiten, PocketBase v0.30.4) — 11/11
role→admingeblokkeerd; onboarding-self-update werktRegressie: #22-matrix 9/9, #24-matrix 8/8, #18-harness 15/15,
npm test112/112, eslint schoon.Stapeling: bouwt op de #26-branch (die op #25). Deze PR mergen brengt álles binnen (#24/#26/#27); #25 en de #26-PR worden dan leeg en kunnen dicht.
🤖 Generated with Claude Code
TeamManager could not manage the roster: updateRule allowed self-update only and deleteRule was superuser-only. The same self-update rule also left a privilege escalation open — it did not restrict fields, so any authenticated user could PATCH their own role to "admin". - team_members rules (migration 1781000003 + base migration + setup script mirror): update: (@request.auth.id = id && @request.body.role:isset = false) || @request.auth.role = "admin" delete: @request.auth.role = "admin" Self-service onboarding keeps working (it never touches role); the role field is admin-only; deletion is admin-only. - pb_hooks/team_members.pb.js: the ENTRA_ADMIN_EMAILS resync is now escalate-only — it guarantees admin for allow-list members on every login but no longer demotes, otherwise every TeamManager promotion would revert on the member's next sign-in (ADR-004 amended). - TeamManager.jsx: info text updated to the new behaviour. Verified with a two-identity mock-OIDC matrix (11/11): allow-list vs regular login, self-escalation blocked while onboarding self-update still works, cross-user update/delete blocked, admin promote/demote/ delete work, promotion survives the member's next login, allow-list admin stays admin. Regression: #22 matrix 9/9, #24 matrix 8/8, #18 harness 15/15, npm test 112/112, eslint clean. Closes #27 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>