feat: role-based permissions (owner/partner/associate/paralegal/secretary)

Backend: - auth/permissions.go: full permission matrix with RequirePermission/RequireRole middleware, CanEditCase, CanDeleteDocument helpers - auth/context.go: add user role to request context - auth/middleware.go: resolve role alongside tenant in auth flow - auth/tenant_resolver.go: verify membership + resolve role for X-Tenant-ID - handlers/case_assignments.go: CRUD for case-level user assignments - handlers/tenant_handler.go: UpdateMemberRole, GetMe (/api/me) endpoints - handlers/documents.go: permission-based delete (own vs all) - router/router.go: permission-wrapped routes for all endpoints - services/case_assignment_service.go: assign/unassign with tenant validation - services/tenant_service.go: UpdateMemberRole with owner protection - models/case_assignment.go: CaseAssignment model Database: - user_tenants.role: CHECK constraint (owner/partner/associate/paralegal/secretary) - case_assignments table: case_id, user_id, role (lead/team/viewer) - Migrated existing admin->partner, member->associate Frontend: - usePermissions hook: fetches /api/me, provides can() helper - TeamSettings: 5-role dropdown, role change, permission-gated invite - CaseAssignments: new component for case-level team management - Sidebar: conditionally hides AI/Settings based on permissions - Cases page: hides "Neue Akte" button for non-authorized roles - Case detail: new "Mitarbeiter" tab for assignment management
2026-03-30 11:04:57 +02:00
parent 82878dffd5
commit 0a0ec016d8
20 changed files with 1068 additions and 104 deletions
--- a/frontend/src/components/layout/Sidebar.tsx
+++ b/frontend/src/components/layout/Sidebar.tsx
@@ -13,19 +13,32 @@ import {
  X,
 } from "lucide-react";
 import { useState, useEffect } from "react";
+import { usePermissions } from "@/lib/hooks/usePermissions";

-const navigation = [
+interface NavItem {
+  name: string;
+  href: string;
+  icon: typeof LayoutDashboard;
+  permission?: string;
+}
+
+const allNavigation: NavItem[] = [
  { name: "Dashboard", href: "/dashboard", icon: LayoutDashboard },
  { name: "Akten", href: "/cases", icon: FolderOpen },
  { name: "Fristen", href: "/fristen", icon: Clock },
  { name: "Termine", href: "/termine", icon: Calendar },
-  { name: "AI Analyse", href: "/ai/extract", icon: Brain },
-  { name: "Einstellungen", href: "/einstellungen", icon: Settings },
+  { name: "AI Analyse", href: "/ai/extract", icon: Brain, permission: "ai_extraction" },
+  { name: "Einstellungen", href: "/einstellungen", icon: Settings, permission: "manage_settings" },
 ];

 export function Sidebar() {
  const pathname = usePathname();
  const [mobileOpen, setMobileOpen] = useState(false);
+  const { can, isLoading: permLoading } = usePermissions();
+
+  const navigation = allNavigation.filter(
+    (item) => !item.permission || permLoading || can(item.permission),
+  );

  // Close on route change
  useEffect(() => {