mirror/TimeTracker
1
0
Fork 0
mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2026-05-19 04:40:32 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat(api): add read:inventory and write:inventory scopes for inventory-only access

Browse Source 
- New scopes read:inventory and write:inventory; existing read/write:projects
  still grant same inventory access for backward compatibility
- require_api_token() accepts tuple of scopes (any one required); inventory
  endpoints accept (read:inventory | read:projects) and (write:inventory | write:projects)
- ApiTokenService: add new scopes to allowed list; document in API_TOKEN_SCOPES.md
- Add tests for inventory report endpoints with scope checks
This commit is contained in:
Dries Peeters
2026-03-16 16:43:08 +01:00
parent 8c2714bec3
commit f05d772dbb
5 changed files with 94 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/api/API_TOKEN_SCOPES.md
+9 -5
View File
@@ -58,9 +58,11 @@ curl -X POST https://your-domain.com/api/v1/projects \
-d '{"name": "New Project", "status": "active"}'
```
**Inventory (same scopes)**: When the inventory module is enabled, `read:projects` and `write:projects` also grant access to inventory endpoints:
- **read:projects**: `GET /api/v1/inventory/items`, `GET /api/v1/inventory/warehouses`, `GET /api/v1/inventory/stock-levels`, `GET /api/v1/inventory/transfers`, `GET /api/v1/inventory/transfers/{reference_id}`, `GET /api/v1/inventory/reports/valuation`, `GET /api/v1/inventory/reports/movement-history`, `GET /api/v1/inventory/reports/turnover`, `GET /api/v1/inventory/reports/low-stock`, suppliers, purchase orders
- **write:projects**: `POST /api/v1/inventory/transfers`, `POST /api/v1/inventory/movements`, create/update/delete items, suppliers, purchase orders
**Inventory**: Dedicated scopes `read:inventory` and `write:inventory` grant access only to inventory endpoints. For backward compatibility, `read:projects` and `write:projects` also grant the same inventory access.
- **read:inventory** (or **read:projects**): `GET /api/v1/inventory/items`, `GET /api/v1/inventory/warehouses`, `GET /api/v1/inventory/stock-levels`, `GET /api/v1/inventory/transfers`, `GET /api/v1/inventory/transfers/{reference_id}`, `GET /api/v1/inventory/reports/*`, suppliers, purchase orders (read).
- **write:inventory** (or **write:projects**): `POST /api/v1/inventory/transfers`, `POST /api/v1/inventory/movements`, create/update/delete items, suppliers, purchase orders.
Use `read:inventory` / `write:inventory` when you need inventory-only tokens (least privilege).
---
@@ -516,8 +518,10 @@ curl -X POST https://your-domain.com/api/v1/projects \
| Scope | Read | Write | Admin Required | Notes |
|-------|------|-------|----------------|-------|
| `read:projects` | ✅ | ❌ | ❌ | View projects |
| `write:projects` | ✅ | ✅ | ❌ | Manage projects |
| `read:projects` | ✅ | ❌ | ❌ | View projects (and inventory read) |
| `write:projects` | ✅ | ✅ | ❌ | Manage projects (and inventory write) |
| `read:inventory` | ❌ | ❌ | ❌ | View inventory only |
| `write:inventory` | ❌ | ❌ | ❌ | Manage inventory only |
| `read:time_entries` | ✅ | ❌ | ❌ | View own entries |
| `write:time_entries` | ✅ | ✅ | ❌ | Manage own entries |
| `read:tasks` | ✅ | ❌ | ❌ | View tasks |