fix(calendar): create/update/delete via /appointments, role-gate users fetch #66

Merged

YousifShkara merged 1 commit from fix/calendar-appointment-crud-paths-and-role-gate-users-fetch into main

2026-06-05 10:09:35 +02:00

YousifShkara commented

2026-06-05 10:09:26 +02:00

Owner

After PR #65 fixed the GET range and users path, two more errors surfaced on the calendar page.

POST /api/v1/calendar/appointments returned 405. The mokosh-server route table only registers GET on /calendar/appointments (the range alias), with create/update/delete intentionally living on /appointments instead (src/modules/calendar/routes.rs:36-51 comment: "Read-only - mutations stay on /appointments"). The SPA was POSTing/PUTting/DELETing to /calendar/appointments[/{id}]. Switch all three mutation paths to /appointments[/{id}] to match the server's API split.

GET /api/v1/auth/users?per_page=100 returned 403 for non-admin sessions. The endpoint is gated to Admin / Manager (src/modules/auth/routes.rs::list_users); Bunyip-OIDC users are JIT-provisioned as Technicians (modules/auth/middleware.rs:459, UserRole::default()), so they cannot list users. The SPA already swallowed the error via unwrap_or_default(), but the browser logged it on every page load. Guard the fetch with user.role.can_manage_users() so technicians skip the call entirely; the assignee dropdown stays empty and the user can only self-assign, which is what their role allows server-side anyway.

After PR #65 fixed the GET range and users path, two more errors surfaced on the calendar page. `POST /api/v1/calendar/appointments` returned 405. The mokosh-server route table only registers GET on `/calendar/appointments` (the range alias), with create/update/delete intentionally living on `/appointments` instead (`src/modules/calendar/routes.rs:36-51` comment: "Read-only - mutations stay on `/appointments`"). The SPA was POSTing/PUTting/DELETing to `/calendar/appointments[/{id}]`. Switch all three mutation paths to `/appointments[/{id}]` to match the server's API split. `GET /api/v1/auth/users?per_page=100` returned 403 for non-admin sessions. The endpoint is gated to Admin / Manager (`src/modules/auth/routes.rs::list_users`); Bunyip-OIDC users are JIT-provisioned as Technicians (`modules/auth/middleware.rs:459`, `UserRole::default()`), so they cannot list users. The SPA already swallowed the error via `unwrap_or_default()`, but the browser logged it on every page load. Guard the fetch with `user.role.can_manage_users()` so technicians skip the call entirely; the assignee dropdown stays empty and the user can only self-assign, which is what their role allows server-side anyway.

YousifShkara self-assigned this

2026-06-05 10:09:26 +02:00

YousifShkara added 1 commit

2026-06-05 10:09:26 +02:00

fix(calendar): create/update/delete via /appointments, role-gate users fetch

Create release / Create release from merged PR (pull_request) Has been skipped

Details

Check / clippy + fmt + tests (pull_request) Successful in 41s

Details

8b1cf531ac

After PR #65 fixed the GET range and users path, two more errors surfaced on the calendar page.

`POST /api/v1/calendar/appointments` returned 405. The mokosh-server route table only registers GET on `/calendar/appointments` (the range alias), with create/update/delete intentionally living on `/appointments` instead (`src/modules/calendar/routes.rs:36-51` comment: "Read-only - mutations stay on `/appointments`"). The SPA was POSTing/PUTting/DELETing to `/calendar/appointments[/{id}]`. Switch all three mutation paths to `/appointments[/{id}]` to match the server's API split.

`GET /api/v1/auth/users?per_page=100` returned 403 for non-admin sessions. The endpoint is gated to Admin / Manager (`src/modules/auth/routes.rs::list_users`); Bunyip-OIDC users are JIT-provisioned as Technicians (`modules/auth/middleware.rs:459`, `UserRole::default()`), so they cannot list users. The SPA already swallowed the error via `unwrap_or_default()`, but the browser logged it on every page load. Guard the fetch with `user.role.can_manage_users()` so technicians skip the call entirely; the assignee dropdown stays empty and the user can only self-assign, which is what their role allows server-side anyway.

YousifShkara merged commit 7a11e2fe88 into main

2026-06-05 10:09:35 +02:00

YousifShkara deleted branch fix/calendar-appointment-crud-paths-and-role-gate-users-fetch

2026-06-05 10:09:35 +02:00

YousifShkara referenced this pull request from a commit

2026-06-05 10:09:37 +02:00

Merge pull request 'fix(calendar): create/update/delete via /appointments, role-gate users fetch' (#66) from fix/calendar-appointment-crud-paths-and-role-gate-users-fetch into main