dmolinari/SIG-CM2.0
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

UDT-006: Middleware de Autorización (RBAC enforcement) #10

Merged
dmolinari merged 9 commits from feature/UDT-006 into main 2026-04-15 20:15:18 +00:00
Conversation 0 Commits 9 Files Changed 37 +1475 -96
dmolinari commented 2026-04-15 19:52:44 +00:00
Owner
Copy Link

Summary

Cierre del módulo Auth (UDT-001..006). Enforcement de permisos end-to-end basado en el catálogo de UDT-005.

Backend (.NET 10)

  • [RequirePermission("modulo:accion")] via IAuthorizationRequirementData — sin named policies
  • PermissionAuthorizationHandler resuelve permisos por claim rol contra dbo.RolPermiso (sin cache)
  • ForbiddenProblemDetailsHandler : IAuthorizationMiddlewareResultHandler → 403 con { type, title, status, detail, permisoRequerido }
  • LoginCommandHandler deja de leer PermisosJson y toma permisos desde IRolPermisoRepository (aditivo, no breaking)
  • Controllers admin (Usuarios/Roles/Permisos) migran de [Authorize(Roles="admin")] a [RequirePermission(...)]
  • Migración V007 agrega 3 permisos al catálogo (administracion:roles:gestionar, administracion:roles_permisos:gestionar, administracion:permisos:ver) asignados al admin

Frontend (React 19)

  • AuthUser.permisos: string[] en authStore + persistido desde login response
  • usePermission(code) + <CanPerform permission=... /> (OR semantics en array)
  • ProtectedRoute extraído a components/routing/ con requiredRoles? / requiredPermissions? (OR) — integrado en router.tsx
  • Guards inline removidos de CreateUserPage, RolesPage, NewRolPage, EditRolPage, RolPermisosPage

SDD Artifacts (engram)

  • explore / proposal / spec / design / tasks / apply-progress / verify-report / archive-report — topic_keys sdd/udt-006-middleware-autorizacion/*

Test plan

  • dotnet test — 282/282 (Application 222 + Api 60)
  • cd src/web && npx vitest run — 76/76
  • Login admin devuelve 21 permisos (V005 18 + V007 3)
  • Endpoint admin con rol cajero → 403 con permisoRequerido
  • ProtectedRoute bloquea rutas admin si el rol/permiso no matchea
  • Correr V007 en SIGCM2 (prod) antes del deploy

Closes #5

## Summary Cierre del módulo Auth (UDT-001..006). Enforcement de permisos end-to-end basado en el catálogo de UDT-005. **Backend (.NET 10)** - `[RequirePermission("modulo:accion")]` via `IAuthorizationRequirementData` — sin named policies - `PermissionAuthorizationHandler` resuelve permisos por claim `rol` contra `dbo.RolPermiso` (sin cache) - `ForbiddenProblemDetailsHandler : IAuthorizationMiddlewareResultHandler` → 403 con `{ type, title, status, detail, permisoRequerido }` - `LoginCommandHandler` deja de leer `PermisosJson` y toma permisos desde `IRolPermisoRepository` (aditivo, no breaking) - Controllers admin (`Usuarios`/`Roles`/`Permisos`) migran de `[Authorize(Roles="admin")]` a `[RequirePermission(...)]` - Migración **V007** agrega 3 permisos al catálogo (`administracion:roles:gestionar`, `administracion:roles_permisos:gestionar`, `administracion:permisos:ver`) asignados al admin **Frontend (React 19)** - `AuthUser.permisos: string[]` en `authStore` + persistido desde login response - `usePermission(code)` + `<CanPerform permission=... />` (OR semantics en array) - `ProtectedRoute` extraído a `components/routing/` con `requiredRoles?` / `requiredPermissions?` (OR) — integrado en `router.tsx` - Guards inline removidos de `CreateUserPage`, `RolesPage`, `NewRolPage`, `EditRolPage`, `RolPermisosPage` ## SDD Artifacts (engram) - explore / proposal / spec / design / tasks / apply-progress / verify-report / archive-report — topic_keys `sdd/udt-006-middleware-autorizacion/*` ## Test plan - [x] `dotnet test` — 282/282 (Application 222 + Api 60) - [x] `cd src/web && npx vitest run` — 76/76 - [x] Login admin devuelve 21 permisos (V005 18 + V007 3) - [x] Endpoint admin con rol cajero → 403 con `permisoRequerido` - [x] ProtectedRoute bloquea rutas admin si el rol/permiso no matchea - [x] Correr V007 en `SIGCM2` (prod) antes del deploy Closes #5
dmolinari added 9 commits 2026-04-15 19:52:44 +00:00
feat(api): login response permisos desde RolPermiso [UDT-006] cdb8dcd03c
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 58d0df601f
feat(api): ForbiddenProblemDetailsHandler 403 shape [UDT-006] 4866c4f21f
feat(api): migrar controllers admin a RequirePermission [UDT-006] 0218d8d371
feat(web): authStore + useLogin persisten permisos [UDT-006] 2efd5e2fdb
feat(web): usePermission + CanPerform [UDT-006] 8935115da9
feat(web): ProtectedRoute extraído + router migrado + CreateUserPage cleanup [UDT-006] f6cdd7650b
refactor(web): eliminar guards inline rol admin en páginas de roles/permisos [UDT-006] 96e7290fb7
test(api): assert count 21 permisos admin post-V007 [UDT-006] 8513e99554
dmolinari merged commit c0d1ea4ac2 into main 2026-04-15 20:15:18 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
followup
Deuda técnica o mejora detectada en un UDT, a retomar en otro futuro. Revisar al empezar cada UDT.
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dmolinari
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dmolinari/SIG-CM2.0#10
Delete Branch "feature/UDT-006"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?