some little changes

VladKravchenko05082000 · VladKravchenko05082000 · commit 550a053e5b80 · 2026-05-20T02:29:36.000+02:00
diff --git a/NOTES.md b/NOTES.md
@@ -29,8 +29,6 @@ These are decisions I'd make the same way again, but they deserve explicit menti
 
 - **`GET /users/{user_id}` keeps inline conditional logic.** Its rule ("own profile always allowed, others admin-only") depends on a path parameter, which dependency-based checks can't see cleanly. The check lives in the route body. A policy layer would normalize this; see above.
 
-- **Permission module duplicates role names between backend and frontend.** `UserRole` is declared in both `backend/app/models.py` and `frontend/src/lib/auth/permissions.ts`. The frontend's `Action`-to-roles `POLICY` table also independently mirrors the backend's `require_role(...)` calls. This is a deliberate duplication: a single source of truth would require either generating the frontend module from OpenAPI metadata or a shared package, both of which are heavier than the problem warrants for a 3-role matrix. The trade-off is a code review checklist: when a role or rule changes, two files must be updated.
-
 - **Route guards (`beforeLoad`) re-fetch `/users/me`.** Each protected route makes its own call to `/users/me` rather than reading from a shared cache. React Query would normally dedupe this, but `beforeLoad` runs outside the React tree. The cost is a few extra GET requests on navigation; the alternative (a shared cached client) was more plumbing than the time budget allowed.
 
 ## What I'd Do With More Time
diff --git a/frontend/src/lib/auth/permissions.ts b/frontend/src/lib/auth/permissions.ts
@@ -30,3 +30,5 @@ export const can = (
   if (!user?.role) return false;
   return POLICY[action].includes(user.role as UserRole);
 };
+
+export const ADMIN_AREA_ROLES: UserRole[] = [UserRole.ADMIN, UserRole.MANAGER];
diff --git a/frontend/src/routes/_layout/admin.tsx b/frontend/src/routes/_layout/admin.tsx
@@ -2,7 +2,7 @@ import { useSuspenseQuery } from "@tanstack/react-query";
 import { createFileRoute, redirect } from "@tanstack/react-router";
 import { Suspense } from "react";
 
-import { can } from "@/lib/auth/permissions";
+import { can, ADMIN_AREA_ROLES } from "@/lib/auth/permissions";
 
 import { type UserPublic, UsersService } from "@/client";
 import AddUser from "@/components/Admin/AddUser";
@@ -23,7 +23,7 @@ export const Route = createFileRoute("/_layout/admin")({
   beforeLoad: async () => {
     const user = await UsersService.readUserMe();
 
-    if (!user.role || !["admin", "manager"].includes(user.role)) {
+    if (!user.role || !ADMIN_AREA_ROLES.includes(user.role)) {
       throw redirect({ to: "/forbidden" });
     }
   },
diff --git a/frontend/src/routes/_layout/metrics.tsx b/frontend/src/routes/_layout/metrics.tsx
@@ -5,11 +5,13 @@ import { Activity, Users, UserCheck } from "lucide-react";
 
 import { MetricsService, UsersService } from "@/client";
 
+import { ADMIN_AREA_ROLES } from "@/lib/auth/permissions";
+
 export const Route = createFileRoute("/_layout/metrics")({
   component: MetricsPage,
   beforeLoad: async () => {
     const user = await UsersService.readUserMe();
-    if (!user.role || !["admin", "manager"].includes(user.role)) {
+    if (!user.role || !ADMIN_AREA_ROLES.includes(user.role)) {
       throw redirect({ to: "/forbidden" });
     }
   },
