janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

M12 / ST-1110: Demo gebruiker read-only (#17)

Browse source 
* feat(ST-1110.3): add proxy.ts demo-guard for non-GET API routes

* feat(ST-1110.3+4): demo-guard proxy + block demo in QR-pairing

- proxy.ts: gebruik unsealData ipv getIronSession (middleware-compatibel)
- pair/start: isDemo-check via cookies() guard
- pair/claim: check pairing.user.is_demo na DB-read; 403 + clearPairCookie

* feat(ST-1110.5): unify demo write-button pattern to disabled+tooltip

Convert all !isDemo && <Button> patterns to <DemoTooltip show={isDemo}>
<Button disabled={isDemo}> so demo visitors see app capabilities.
Affects: pbi-list, story-panel, story-dialog, task-list, sprint-backlog,
token-manager, product-list, activate-product-button, leave-product-button,
settings page.

* test(ST-1110.6): proxy demo-guard coverage — 403 for demo+non-GET on /api/*

* docs(ST-1110.7): document three-layer demo-readonly policy and mirror plan
This commit is contained in:
Janpeter Visser 2026-04-29 18:44:14 +02:00 committed by GitHub
parent 8a9fb9d32b
commit 1cb5772edd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
19 changed files with 413 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

5
app/api/auth/pair/claim/route.ts
View file

@ -80,6 +80,11 @@ export async function POST(request: Request) {
return Response.json({ error: 'Pairing zonder user' }, { status: 500 })
}
if (pairing.user?.is_demo) {
await clearPairCookie()
return Response.json({ error: 'Niet beschikbaar in demo-modus' }, { status: 403 })
}
const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
session.userId = pairing.user_id
session.isDemo = pairing.user?.is_demo ?? false