Scrum4Me

janpeter/Scrum4Me

Fork 0

Commit graph

Author	SHA1	Message	Date
Madhura68	a1d1f99216	proxy: add /ideas to protectedRoutes; verify demo-guard for /api/ideas (M12 T-501) - proxy.ts: /ideas added to protectedRoutes — unauthenticated users get redirected to /login when navigating to /ideas or /ideas/[id] - existing demo-guard catch-all (\`/api/* + non-GET\`) already blocks POST/PATCH/DELETE /api/ideas* with 403 — confirmed via 3 new tests - server-action endpoints (start-grill / start-make-plan / materialize / promote-to-idea) carry their own \`session.isDemo\` checks inside actions/ideas.ts and actions/todos.ts (defense in depth) Tests: 9/9 in proxy demo-guard suite (added 3 idea cases). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 19:56:41 +02:00
Janpeter Visser	1cb5772edd	M12 / ST-1110: Demo gebruiker read-only (#17 ) * feat(ST-1110.3): add proxy.ts demo-guard for non-GET API routes * feat(ST-1110.3+4): demo-guard proxy + block demo in QR-pairing - proxy.ts: gebruik unsealData ipv getIronSession (middleware-compatibel) - pair/start: isDemo-check via cookies() guard - pair/claim: check pairing.user.is_demo na DB-read; 403 + clearPairCookie * feat(ST-1110.5): unify demo write-button pattern to disabled+tooltip Convert all !isDemo && <Button> patterns to <DemoTooltip show={isDemo}> <Button disabled={isDemo}> so demo visitors see app capabilities. Affects: pbi-list, story-panel, story-dialog, task-list, sprint-backlog, token-manager, product-list, activate-product-button, leave-product-button, settings page. * test(ST-1110.6): proxy demo-guard coverage — 403 for demo+non-GET on /api/* * docs(ST-1110.7): document three-layer demo-readonly policy and mirror plan	2026-04-29 18:44:14 +02:00

Author

SHA1

Message

Date

Madhura68

a1d1f99216

proxy: add /ideas to protectedRoutes; verify demo-guard for /api/ideas (M12 T-501)

- proxy.ts: /ideas added to protectedRoutes — unauthenticated users get
  redirected to /login when navigating to /ideas or /ideas/[id]
- existing demo-guard catch-all (\`/api/* + non-GET\`) already blocks
  POST/PATCH/DELETE /api/ideas* with 403 — confirmed via 3 new tests
- server-action endpoints (start-grill / start-make-plan / materialize /
  promote-to-idea) carry their own \`session.isDemo\` checks inside
  actions/ideas.ts and actions/todos.ts (defense in depth)

Tests: 9/9 in proxy demo-guard suite (added 3 idea cases).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-04 19:56:41 +02:00

Janpeter Visser

1cb5772edd

M12 / ST-1110: Demo gebruiker read-only (#17 )

* feat(ST-1110.3): add proxy.ts demo-guard for non-GET API routes

* feat(ST-1110.3+4): demo-guard proxy + block demo in QR-pairing

- proxy.ts: gebruik unsealData ipv getIronSession (middleware-compatibel)
- pair/start: isDemo-check via cookies() guard
- pair/claim: check pairing.user.is_demo na DB-read; 403 + clearPairCookie

* feat(ST-1110.5): unify demo write-button pattern to disabled+tooltip

Convert all !isDemo && <Button> patterns to <DemoTooltip show={isDemo}>
<Button disabled={isDemo}> so demo visitors see app capabilities.
Affects: pbi-list, story-panel, story-dialog, task-list, sprint-backlog,
token-manager, product-list, activate-product-button, leave-product-button,
settings page.

* test(ST-1110.6): proxy demo-guard coverage — 403 for demo+non-GET on /api/*

* docs(ST-1110.7): document three-layer demo-readonly policy and mirror plan

2026-04-29 18:44:14 +02:00

2 commits