first commit

web/dashboard/src/lib/auth-permissions.ts

@@ -1,4 +1,5 @@
-import { BRANCH_ONLY_NAV_GROUP, type NavGroupId } from "@/lib/sidebar-nav";
+import { BRANCH_ONLY_NAV_GROUP, type NavGroupId, type NavItemKey } from "@/lib/sidebar-nav";
+import { NAV_REQUIRED_PERMISSION } from "@/lib/permissions";
 
 /** Cafe owner (HQ) — billing, taxes, branches. */
 export function isCafeOwner(role: string | undefined): boolean {
@@ -26,7 +27,8 @@ export function canSeeNavGroup(
 export function canSeeNavItem(
   key: string,
   role: string | undefined,
-  branchId: string | null | undefined
+  branchId: string | null | undefined,
+  permissions?: Set<string> | null
 ): boolean {
   if ((OWNER_ONLY_NAV_KEYS as readonly string[]).includes(key) && !isCafeOwner(role)) {
     return false;
@@ -34,5 +36,14 @@ export function canSeeNavItem(
   if (key === "branches" && isBranchAccount(branchId)) {
     return false;
   }
+  // Permission-based page visibility. `permissions === null` means a legacy
+  // session with no permission list — fall back to the role/branch rules above
+  // so those users keep their current access until the next token refresh.
+  if (permissions) {
+    const required = NAV_REQUIRED_PERMISSION[key as NavItemKey];
+    if (required && !permissions.has(required)) {
+      return false;
+    }
+  }
   return true;
 }