feat(rbac): enforce permissions on every café write endpoint

Closes the gap where the custom-role matrix was defined but unenforced — most write endpoints only checked café membership, so the API would accept writes a role's UI hid. Adds EnsurePermission(...) to all mutating/sensitive endpoints across 32 controllers, mapped to the granular catalog: - menu/inventory/coupons/customers/expenses/reservations/taxes/branches → CRUD perms - tables/queue/kitchen-stations/print-settings → manage perms - orders → ProcessOrders / EditOrder / VoidOrder / UpdateOrderStatus / HandlePayments, payment corrections → ManageFinancials - HR → CreateStaff / ManageSchedules / ReviewLeave / View+ManageSalaries / ManageStaffCredentials (self-service clock-in/leave preserved) - reports → ViewReports, export → ExportReports, audit → ViewAuditLog - billing → ManageBilling, sms → SendSms/ManageSmsSettings, reviews → ManageReviews, discover/public profile → ManageDiscoverProfile, café settings → ManageCafeSettings, custom roles → ManageRoles Removes legacy [Authorize(Roles=...)] attributes that would have overridden the permission model (orders, branch-menu, pos-device, print). Manual discount/comp have no backend endpoint yet (discounts come from coupons) — gated on the POS UI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 05:43:07 +03:30
parent 236013f53c
commit 7a5ea75b50
32 changed files with 162 additions and 77 deletions
@@ -42,7 +42,7 @@ public class AuditController : CafeApiControllerBase
        [FromQuery] int pageSize = 50)
    {
        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
-        if (EnsurePermission(tenant, Permission.ViewReports) is { } forbidden) return forbidden;
+        if (EnsurePermission(tenant, Permission.ViewAuditLog) is { } forbidden) return forbidden;

        if (page < 1) page = 1;
        if (pageSize < 1) pageSize = 50;