Restrict write-action UI to editor+ role for checks and deposits

Viewers can no longer see New Check, New Deposit, Import .mdb, or Import QBO buttons. Deposit row Edit/Delete buttons are also hidden for viewers, matching the existing behavior on check rows.
2026-03-19 16:32:03 -06:00
parent af88549ad8
commit 4783cf8953
3 changed files with 59 additions and 27 deletions
@@ -85,9 +85,9 @@
      <button id="btn-generate-pdf" class="btn-primary" disabled>
        Generate PDF <span id="selected-count" class="badge">0</span>
      </button>
-      <button id="btn-new-check" class="btn-secondary">+ New Check</button>
-      <button id="btn-import" class="btn-secondary">Import .mdb</button>
-      <button class="btn-secondary" data-open-qbo="checks">Import QBO</button>
+      <button id="btn-new-check" class="btn-secondary" data-editor-only>+ New Check</button>
+      <button id="btn-import" class="btn-secondary" data-editor-only>Import .mdb</button>
+      <button class="btn-secondary" data-editor-only data-open-qbo="checks">Import QBO</button>
    </div>
  </div>

@@ -128,8 +128,8 @@
      </select>
    </div>
    <div class="toolbar-right">
-      <button id="btn-new-deposit" class="btn-secondary">+ New Deposit</button>
-      <button class="btn-secondary" data-open-qbo="deposits">Import QBO</button>
+      <button id="btn-new-deposit" class="btn-secondary" data-editor-only>+ New Deposit</button>
+      <button class="btn-secondary" data-editor-only data-open-qbo="deposits">Import QBO</button>
    </div>
  </div>
  <div class="table-wrap">
@@ -1268,6 +1268,9 @@ function renderDepositsTable() {
    return;
  }

+  const isEditor = state.accountRole === 'editor' ||
+    (!state.accountRole && state.user && (state.user.role === 'admin' || state.user.role === 'editor'));
+
  tbody.innerHTML = list.map(d => {
    const cashTotal    = (d.currency || 0) + (d.coin || 0);
    const checksTotal  = d.checks_total || 0;
@@ -1276,6 +1279,10 @@ function renderDepositsTable() {
    const badge        = printed
      ? '<span class="status-badge status-printed">Printed</span>'
      : '<span class="status-badge status-unprinted">Unprinted</span>';
+    const actions = isEditor
+      ? `<button class="btn-sm btn-edit dep-btn-edit" data-id="${d.id}">Edit</button>` +
+        `<button class="btn-sm btn-delete dep-btn-delete" data-id="${d.id}">Delete</button>`
+      : '';
    return `<tr class="${printed ? 'printed' : ''}">
      <td class="col-date">${fmtDate(d.deposit_date)}</td>
      <td class="col-amount" style="text-align:right">${fmt(checksTotal)}</td>
@@ -1284,10 +1291,7 @@ function renderDepositsTable() {
      <td class="col-amount" style="text-align:right"><strong>${fmt(depositTotal)}</strong></td>
      <td style="text-align:center">${d.item_count || 0}</td>
      <td class="col-status">${badge}</td>
-      <td class="col-actions">
-        <button class="btn-sm btn-edit dep-btn-edit" data-id="${d.id}">Edit</button>
-        <button class="btn-sm btn-delete dep-btn-delete" data-id="${d.id}">Delete</button>
-      </td>
+      <td class="col-actions">${actions}</td>
    </tr>`;
  }).join('');