navbar admin dash access for all roles that need it

[KoZsombat]

Summary by CodeRabbit

• Improvements
  • Admin interface access control now uses a permissions-based system for more granular and flexible authorization management.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 2d6e5de0-ad7d-4333-8ce9-0020efaf7264

📥 Commits

Reviewing files that changed from the base of the PR and between 1960369 and 96c05a6.

📒 Files selected for processing (4)

• apps/iris/src/components/navbar.tsx
• apps/iris/src/components/util/permission-guard.tsx
• apps/iris/src/hooks/use-has-permission.ts
• apps/iris/src/routes/_private/admin/route.tsx

---

📝 Walkthrough

Walkthrough

The PR migrates admin UI access control from role-based to permission-based logic. A new useHasPermission hook is expanded to support both single and array permission checks, with ADMIN_UI_PERMISSIONS defining required admin permissions. PermissionGuard is updated to use the hook. Navbar passes user permissions instead of roles and checks admin access via the hook. The admin route replaces inline role checks with PermissionGuard wrapper.

Changes

Admin UI permissions migration

Layer / File(s)	Summary
Permission utility foundation with array support apps/iris/src/hooks/use-has-permission.ts	ADMIN_UI_PERMISSIONS constant is introduced. useHasPermission hook signature broadens to accept string | readonly string[], and array inputs grant permission if any element matches the user's permissions list.
PermissionGuard component update apps/iris/src/components/util/permission-guard.tsx	PermissionGuard now uses useHasPermission hook to evaluate authorization. The permission prop accepts string | readonly string[]. Unauthorized redirect now uses hook-derived !hasPermission boolean instead of inline permission checks.
Navbar admin visibility with permissions apps/iris/src/components/navbar.tsx	Navbar passes data.user.permissions instead of roles to NavLinks. NavLinks computes canSeeAdminUi via useHasPermission(ADMIN_UI_PERMISSIONS, userPermissions) and conditionally renders the Admin dashboard button based on the result.
Admin route access control with PermissionGuard apps/iris/src/routes/_private/admin/route.tsx	Admin layout route wraps its UI in PermissionGuard permission={ADMIN_UI_PERMISSIONS} instead of performing inline session-based role checks. Auth and navigation imports are replaced with PermissionGuard and ADMIN_UI_PERMISSIONS imports.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title references making admin dashboard access available to 'all roles that need it', but the actual changes migrate from a role-based to permission-based authorization system using the new useHasPermission hook and ADMIN_UI_PERMISSIONS constant.	Consider revising the title to reflect the core change: migrating admin dashboard authorization from role-based to permission-based access control (e.g., 'Migrate admin dashboard access from role-based to permission-based authorization').

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/iris/src/utils/admin-access.ts`:
- Around line 1-27: The new ADMIN_UI_PERMISSIONS constant and canAccessAdminUi
function duplicate existing permission logic; remove them and fold their
behaviour into the existing permission abstraction by extending the
hook/use-has-permission.ts (or the existing guard components) so callers can
check admin-ui access via the central API instead of a separate helper.
Specifically: move ADMIN_UI_PERMISSIONS into the permission module and add a
helper or overload in useHasPermission (or export a hasAnyPermission variant)
that accepts this permission list and respects wildcard '*' checks, update any
components that call canAccessAdminUi to use the extended
useHasPermission/guard, and delete the canAccessAdminUi helper to avoid parallel
logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 1f73726d-6512-44b2-8ae5-70053342a7eb

📥 Commits

Reviewing files that changed from the base of the PR and between 6f4248d and 1960369.

📒 Files selected for processing (3)

• apps/iris/src/components/navbar.tsx
• apps/iris/src/routes/_private/admin/route.tsx
• apps/iris/src/utils/admin-access.ts