Omnibus v1.1.0-beta.039
·
11 commits
to main
since this release
v1.1.0-beta.039 - feat(permissions): request gate, per-library access, themed tiers, default-access
🛡️ Per-library access control
- library-access chokepoint enforced across every read surface (library/{route,series,issue,recent,check,ids}, discover, calendar, recommendations, reader/image, opds/, reading-lists/) — non-admins see only granted libraries (fresh DB lookup, not JWT)
- New UserLibraryAccess grants; admin/users gains per-library checkboxes; new admin/libraries route backs the picker
- reader/image hardened against path traversal via shared isPathWithinRoots() (utils/paths)
🦸 Themed tiers + request gate
- canRequest gate on request/route, request/manual, reading-lists import/fallback — Civilian → 403, admins bypass
- Tiers (Civilian/Sidekick/Vigilante/Hero) via tier-badge in admin/users, site-header, profile; Apply-Tier + per-library grants in users admin
- Auth seeding: register + SSO users get default-library access + canRequest; flows through JWT/session (next-auth.d.ts)
🔓 Per-library default access
- Library.defaultAccess "Auto-grant to all users" toggle in Settings; admin/config grants newly-default libraries to all users on false→true
- db-init one-time sentinel-guarded backfills: canRequest for existing users, all-library access for existing users, Comics flagged default-access
🔧 SQLite adaptation
- Replaced createMany skipDuplicates (Postgres-only) with existing-pair filtering in the default-access grant + library backfill
✅ Verification
- tsc --noEmit clean; vitest 210/210 across 63 files (8 permission suites updated)