Skip to content

feat(auth): restrict financial routes to GERENTE role (US00)#57

Merged
EmiyaKiritsugu3 merged 7 commits into
mainfrom
002-us00-financial-role-access
Apr 9, 2026
Merged

feat(auth): restrict financial routes to GERENTE role (US00)#57
EmiyaKiritsugu3 merged 7 commits into
mainfrom
002-us00-financial-role-access

Conversation

@EmiyaKiritsugu3

@EmiyaKiritsugu3 EmiyaKiritsugu3 commented Apr 9, 2026

Copy link
Copy Markdown
Owner

Description

Implements US00: restricts /dashboard/financeiro and /dashboard/planos to GERENTE role only via 3-layer enforcement (middleware + nav + page guards). Also fixes Portal do Aluno login being inaccessible due to middleware blocking /aluno/login for unauthenticated users.

Type of Change

  • feat — New feature
  • fix — Bug fix
  • refactor — Code refactor (no behavior change)
  • test — Tests only
  • docs — Documentation only
  • chore — Build, config, tooling
  • ci — CI/CD pipeline
  • perf — Performance improvement

Related Documents

  • User Story: specs/003-002-us00-financial/spec.md
  • Plan: specs/003-002-us00-financial/plan.md
  • Tasks: specs/003-002-us00-financial/tasks.md

Checklist

  • npm run typecheck — zero errors
  • npm run lint — zero errors
  • npm run format:check — no formatting issues
  • npm run test:coverage — all tests pass (5 new unit tests for requireRole)
  • Database migrations created if schema changed (npx prisma migrate dev) — N/A (no schema changes)
  • Documentation updated if applicable — CHANGELOG.md updated

Layers of Enforcement (US00)

  1. Middleware — redirects non-GERENTE to /dashboard before page renders
  2. Nav — hides Financeiro/Planos links for non-GERENTE users
  3. Page Server ComponentsrequireRole(Role.GERENTE) as secondary guard before any Prisma query

Test Plan

  • Log in as GERENTE → /dashboard/financeiro and /dashboard/planos render normally
  • Log in as RECEPCIONISTA → both routes redirect to /dashboard
  • Log in as INSTRUTOR → both routes redirect to /dashboard
  • RECEPCIONISTA/INSTRUTOR sidebar shows no Financeiro or Planos links
  • Unauthenticated user → "Acessar Portal do Aluno" navigates to /aluno/login (bug fix verification)

🤖 Generated with Claude Code

EmiyaKiritsugu3 and others added 6 commits April 9, 2026 09:59
- Add requireRole() helper in src/lib/auth.ts with 5 unit tests (TDD)
- Add FINANCIAL_ROUTES constant in src/lib/constants.ts (single source of truth)
- Block RECEPCIONISTA/INSTRUTOR from /dashboard/financeiro and /dashboard/planos
- Update DashboardLayout to fetch role and pass to DashboardNav
- Hide financial nav items for non-GERENTE users in DashboardNav
- Add server-side requireRole(Role.GERENTE) guard to financeiro and planos pages
- Add GERENTE and RECEPCIONISTA funcionarios to prisma/seed.ts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@vercel

vercel Bot commented Apr 9, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
smartmanagementsystem Ready Ready Preview, Comment Apr 9, 2026 7:21pm

@coderabbitai

coderabbitai Bot commented Apr 9, 2026

Copy link
Copy Markdown

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR strengthens TypeScript type safety across server actions and data fetchers by removing unsafe any types, fixes Genkit streaming type casting, eliminates redundant state synchronization patterns in React components using useEffect, optimizes state initialization with lazy evaluation, and updates E2E test payloads to match schema changes.

Changes

Cohort / File(s) Summary
Type Safety & Server Actions
src/lib/actions/alunos.ts, src/lib/actions/treinos.ts
Strengthened parameter types by replacing any with explicit types (Partial<AlunoBase>, TreinoBase, etc.), standardized error handling using instanceof Error, and simplified Zod error responses to generic messages instead of detailed field errors.
Data Fetchers & Return Types
src/lib/data.ts
Updated getTreinos return type from Promise<any[]> to Promise<Treino[]>, removed explicit any casting in mapping callbacks, and added typed RawFaturamento for SQL view results.
Client State Optimization
src/app/aluno/dashboard/dashboard-client.tsx, src/app/aluno/dashboard/page.tsx
Removed local state synchronization in useEffect by replacing initialAluno prop with direct aluno prop usage, eliminating redundant re-render loops.
Workout Session State
src/components/WorkoutSession.tsx
Refactored state initialization to use lazy evaluation (initExercicios helper) for exerciciosEmSessao and direct initialization for startTime, removed effect-based state updates dependent on prop changes.
Treino Management & Router Integration
src/app/aluno/meus-treinos/meus-treinos-client.tsx
Removed useEffect synchronization of local state, added router.refresh() for new workout creation, changed instrutorId to pass undefined instead of null, and updated state merging logic for edits.
Genkit Streaming Type Casting
src/app/dashboard/treinos/treinos-client.tsx
Replaced unsafe any casts with explicit WorkoutGeneratorOutput type casting for stream chunks from Genkit streaming invocation.
Test & Documentation
scripts/test-e2e.ts, CHANGELOG.md, docs/reports/2026-04-09-session-report.md
Updated E2E test payload to include cpf field and replace genero with statusMatricula, added changelog entry documenting fixes, and created session report documenting completed work and quality gates.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hops of joy for types so strong,
No more any's lingering along!
States simplified, effects undone,
Lazy loading shines in the sun.
Schema updates make tests align—
Code health thriving, everything fine!

🚥 Pre-merge checks | ❌ 3

❌ Failed checks (3 warnings)

Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title describes restricting financial routes to GERENTE role (US00), but the raw_summary shows changes focused on removing synchronous setState, improving TypeScript typing, and updating test payloads—no authentication or role-based access control changes are present. The PR title does not match the actual changes. Update the title to reflect the actual changes (e.g., 'fix: remove synchronous setState and strengthen TypeScript typing').
Description check ⚠️ Warning The PR description describes role-based access control features (requireRole helper, middleware blocks, sidebar hiding), but these are not reflected in the raw_summary, which shows fixes for state management, typing, and schema updates instead. The description does not match the actual changeset. Update it to accurately reflect the fixes documented in CHANGELOG.md and the session report.
Docstring Coverage ⚠️ Warning Docstring coverage is 5.56% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 002-us00-financial-role-access

Comment @coderabbitai help to get the list of available commands and usage tips.

Fixes defu prototype pollution (GHSA-737v-mqg7-c878) and
Vite path traversal issues (GHSA-4w7w-66w2-5vf9, GHSA-v2wj-q39q-566r,
GHSA-p9ff-h696-f583). Remaining 3 moderate vulnerabilities in
@hono/node-server require a Prisma breaking change and are out of scope.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant