v0.1.11 - Editor

2026-06-03 00:17:12 +12:00
parent f5a588d631
commit cf968e802b
23 changed files with 2165 additions and 655 deletions
@@ -190,6 +190,12 @@ def require_client_access_manager_session(
 ) -> AuthSession:
    if session.role == "admin":
        return session
+    if session.role == "internal":
+        permissions = session.module_permissions or {}
+        if not has_access_level(permissions.get("client_access"), "manage"):
+            log_security_event("authz.denied", role=session.role, module="client_access", access_level="manage")
+            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client access management requires Lean access")
+        return session
    if session.role != "client":
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client access management requires admin or superadmin access")