Skip to content

feat: refactor role-based gating to database-driven CASL permissions & fix score-sheet layout access#90

Merged
Mananwebdev160408 merged 57 commits into
mainfrom
manan
Jun 16, 2026
Merged

feat: refactor role-based gating to database-driven CASL permissions & fix score-sheet layout access#90
Mananwebdev160408 merged 57 commits into
mainfrom
manan

Conversation

@Mananwebdev160408

Copy link
Copy Markdown
Contributor

1. Summary of Contribution

This contribution performs a comprehensive auditing and refactoring of frontend features that used legacy/hardcoded role checks (user.role === '...', isStudent, isAdmin) to use database-driven CASL permissions via ability.can(). This aligns client-side authorization directly with the database-seeded roles and permissions.

Key Refactorings & Fixes:

  1. Score Sheet (CGPA Calculator) layout & Sidebar: Resolved the bug where the /score-sheet layout whitelisted ['college_admin', 'faculty'] but redirected non-students to /dashboard. Refactored layout, sidebar, and page gating to use read/create permissions on CgpaEntry, making the CGPA calculator accessible to students.
  2. Timetable / Academic Schedule: Gated auto-generation, scheduling, and extra class options using create/update/delete permissions on Timetable. Updated seed-permissions.ts to grant the faculty role write permissions on Timetable, allowing them to successfully schedule extra classes.
  3. Dining (Canteen): Updated manager canteen view gating to check manage:NightCanteenItem (seeded for faculty) or manage:all, resolving access permissions for dining management.
  4. Academics & Directory: Refactored Course List, Course Roster, Rooms, Faculty Bio, User Directories, Departments, and Examinations to gate actions dynamically on their respective CASL subjects (Course, Enrollment, Grade, Room, FacultyBio, User, Department, Examination).
  5. Finance: Refactored admin fee operations and main page views to gate on FeeRecord CASL capabilities.

2. Type of Contribution

Please select the type of contribution by marking with an [x]:

  • Bug Fix (non-breaking change which fixes an issue)
  • New Feature (non-breaking change which adds functional capability)
  • Refactoring (optimizing existing code without change in behavior)
  • Documentation (updates to README.md, setup.md, architecture.md, etc.)
  • Security (fixing a vulnerability or patching a dependency)

3. Verification Checklist

Please verify that your contribution meets the repository guidelines:

  • Verified that the code complies with repository guidelines and does not introduce prohibited modules or unused code.
  • The code passes all linting (pnpm run lint or turbo run lint) and builds successfully.
  • New Zod validation schemas have been added to the shared/ directory for any new data inputs.
  • New API endpoints are correctly guarded using NestJS Role-Based Access Control (RBAC) or CASL guards.
  • Every component is type-safe and avoids the use of any.
  • Added or updated relevant documentation in the docs/ or apps/docs/ directories.

4. Performance & Impact

  • Client Bundles: No new third-party libraries were added. CASL integration leverages existing modules, keeping bundle size footprint minimal.
  • Query Resolution: Backend changes are limited to permission seeds, preserving existing Prisma query performance.
  • Data Integrity: Maintains database relational consistency by preserving standard CASL subject associations.

5. Additional Context and Documentation

  • Timetable Extra Class fix: Scheduling extra classes now successfully goes through the backend with the new faculty permission seed.
  • Next.js Production Build: Verified successful static analysis and page generation with pnpm --filter pec-frontend build.

…ror handling, and update faculty detail view
…tching logic, and enhance score sheet layout
…heets, faculty details, and 3D campus mapping
… associated services, controllers, and UI pages
- Created `auth.contract.d.ts` and `auth.contract.js` to define API contracts for login and signup.
- Added Zod schemas for request and response validation in `erp.js`.
- Introduced `index.d.ts` and `index.js` to export the authentication contract.
- Implemented shared types for user roles and dashboard statistics in `types/index.d.ts` and `types/index.js`.
- Configured TypeScript settings in `tsconfig.json` for the shared directory.
…esolution, layout providers, and state management hooks.
- Created manifest.json to track cached files.
- Added meta.json for build metadata including hash and duration.
- Included tar.zst file containing compressed build output.
- Implemented AcademicCalendarModule with service and controller.
- Created CreateAcademicCalendarEventDto and UpdateAcademicCalendarEventDto for event creation and updates.
- Added ParsePdfDto for handling PDF uploads.
- Developed service methods for CRUD operations on academic calendar events.
- Introduced admin interface for managing academic calendar events, including PDF upload and event review.
- Implemented InteractiveCalendar component for displaying events with filtering options.
- Added EventDetailModal for viewing and editing event details.
- Created utility functions for event categorization and labeling.
- Updated event colors in calendar-utils.ts for better visibility and consistency.
- Enhanced Sidebar component to allow dynamic resizing, saving the width in local storage.
- Introduced new server scripts for database exploration and checking academic calendar events.
- Added seeding script for academic calendar with detailed events for the academic year.
- Created temporary check_db script for quick database checks.
…ents

- Added a button to create events directly from the Daily Brief section.
- Updated the calendar header and filters for better accessibility and usability.
- Improved styling for calendar events and filters, including color adjustments.
- Enhanced the event display with additional information and improved layout.
- Refactored event color utilities for consistency and better readability.
Mananwebdev160408 and others added 27 commits April 3, 2026 23:06
…nd Docker infrastructure for improved server-side state management
… for student grades, attendance, and scheduling.
…ement features and add supporting pages for examinations, noticeboard, and hostel issues.
# Conflicts:
#	apps/frontend/src/app/(protected)/admin/academic-calendar/page.tsx
#	apps/frontend/src/app/(protected)/admin/canteen/page.tsx
#	apps/frontend/src/app/(protected)/admin/hostel/page.tsx
#	apps/frontend/src/app/(protected)/hostel-issues/page.tsx
#	packages/api/src/axios-instance.ts
export default function FinancePage() {
const { permissions, loading: permLoading } = usePermissions();
const _isAdmin = (permissions as any)?.isAdmin || (permissions as any)?.role === 'college_admin';
const { user, loading: authLoading, ability } = useAuth();
const canScheduleExtraClass = userRole === "faculty";
const { user, loading: authLoading, ability } = useAuth();
const isFaculty = user?.role === "faculty";
const isCollegeAdmin = user?.role === "college_admin";
@Mananwebdev160408 Mananwebdev160408 merged commit efd6ba3 into main Jun 16, 2026
5 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants