Skip to content

feat(newTour): check user privileges before role-based fallback#215

Merged
JoshuaVSherman merged 1 commit into
devfrom
feat-admin-user-management
May 23, 2026
Merged

feat(newTour): check user privileges before role-based fallback#215
JoshuaVSherman merged 1 commit into
devfrom
feat-admin-user-management

Conversation

@JoshuaVSherman
Copy link
Copy Markdown
Contributor

@JoshuaVSherman JoshuaVSherman commented May 23, 2026

Summary

  • Migrates the SCS newTour handler to check user.privileges.includes('tour:create') first, with a fallback to the existing userRoles-based check when privileges is empty.
  • Extracted the auth check into utils.assertCanCreateTour to keep newTour under the cognitive-complexity ceiling.
  • Companion to web-jam-back PR #758 — that PR adds the privileges field on User and the admin routes that populate it.

Backward compatibility

  • Existing users have no privileges set; they continue authorizing via userType exactly as before.
  • Only users created via the new JaMmusic admin UI will have populated privileges arrays.
  • Other SCS handlers (editTour, removeTour, etc.) are unchanged — they still gate purely on userType. Future PRs migrate them as needed.

Test plan

  • Lint clean (npm run test:lint)
  • Typecheck clean (npm run typecheck)
  • 68 unit tests pass (npm run test:unit), including two new tests for the capability-allowed and capability-missing paths
  • Companion web-jam-back PR #758 merged
  • End-to-end smoke: create an AI-agent user with privileges: ['tour:create'], mint a token, transmit newTour, confirm gig is created

🤖 Generated with Claude Code

@JoshuaVSherman @claude
feat(newTour): check user privileges before falling back to role check
d59d44f 
The newTour handler now checks `user.privileges.includes('tour:create')`
when the user has a non-empty privileges array, and falls back to the
existing `userRoles`-based check when privileges is empty.

- Existing users (no privileges set) keep authorizing via userType — no
  behavior change for any current human user.
- New admin-managed users (created via the forthcoming JaMmusic admin UI)
  authorize via per-user privileges.
- Extracted the auth check into `utils.assertCanCreateTour` to keep
  newTour under the cognitive-complexity ceiling.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@JoshuaVSherman JoshuaVSherman marked this pull request as ready for review May 23, 2026 09:39
@JoshuaVSherman JoshuaVSherman merged commit 5512d99 into dev May 23, 2026
2 checks passed
@JoshuaVSherman JoshuaVSherman deleted the feat-admin-user-management branch May 23, 2026 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JoshuaVSherman