Site Map

Author: simonredfern

src/hooks.server.ts

@@ -10,6 +10,7 @@ import { env } from "$env/dynamic/private";
 import { oauth2ProviderManager } from "$lib/oauth/providerManager";
 import { SessionOAuthHelper } from "$lib/oauth/sessionHelper";
 import { resourceDocsCache } from "$lib/stores/resourceDocsCache";
+import { validateSiteMapScopes } from "$lib/utils/roleChecker";
 
 declare const process: { env: Record<string, string | undefined>; argv: string[] };
 
@@ -55,6 +56,8 @@ function checkServerPort() {
 // Startup scripts
 // Check server port
 checkServerPort();
+// Validate SITE_MAP doesn't mix bankScoped and system-wide roles on any page
+validateSiteMapScopes();
 
 // Init Redis
 let client: Redis;

src/lib/components/PageRoleCheck.svelte

@@ -20,7 +20,6 @@
     return checkRoles(userEntitlements || [], required || [], currentBankId);
   });
 
-  let firstMissingRequired = $derived(requiredCheck.missingRoles[0] || null);
   let showContent = $derived(requiredCheck.hasAllRoles);
 
   // Check optional roles (informational — content still renders)
@@ -36,13 +35,15 @@
   );
 </script>
 
-{#if firstMissingRequired}
+{#if requiredCheck.missingRoles.length > 0}
   <div class="role-alerts">
-    <MissingRoleAlert
-      roles={[firstMissingRequired.role]}
-      bankId={firstMissingRequired.bankId || undefined}
-      message={`You need the following role to access this page: ${firstMissingRequired.role}`}
-    />
+    {#each requiredCheck.missingRoles as missingRole}
+      <MissingRoleAlert
+        roles={[missingRole.role]}
+        bankId={missingRole.bankId || undefined}
+        message={`You need the following role to access this page: ${missingRole.role}`}
+      />
+    {/each}
   </div>
 {/if}
 

src/lib/utils/roleChecker.ts

@@ -68,6 +68,9 @@ export const SITE_MAP: Record<string, PageRoleConfig> = {
       { role: "CanDeleteEntitlementRequestsAtAnyBank" },
     ],
   },
+  "/rbac/groups": {
+    required: [{ role: "CanGetGroupsAtAllBanks" }],
+  },
   "/rbac/groups/create": {
     required: [{ role: "CanCreateGroupAtAllBanks" }],
   },
@@ -132,6 +135,12 @@ export const SITE_MAP: Record<string, PageRoleConfig> = {
     required: [{ role: "CanManageFeaturedApiCollections" }],
   },
 
+  // ── Products ────────────────────────────────────────────
+  "/products/bootstrap": {
+    required: [{ role: "CanUpdateApiProduct", bankScoped: true }],
+    optional: [{ role: "CanDeleteApiProduct", bankScoped: true }],
+  },
+
   // ── Banks ─────────────────────────────────────────────
   "/banks/create": {
     required: [{ role: "CanCreateBank" }],
@@ -152,6 +161,12 @@ export const SITE_MAP: Record<string, PageRoleConfig> = {
   },
 
   // ── Metrics ───────────────────────────────────────────
+  "/metrics": {
+    required: [{ role: "CanReadMetrics" }],
+  },
+  "/aggregate-metrics": {
+    required: [{ role: "CanReadAggregateMetrics" }],
+  },
   "/connector-traces": {
     required: [{ role: "CanGetConnectorTrace" }],
   },
@@ -248,6 +263,30 @@ export const SITE_MAP: Record<string, PageRoleConfig> = {
   },
 };
 
+/**
+ * Validate that no SITE_MAP page mixes bankScoped and non-bankScoped roles
+ * in its required list. Mixing scopes would show confusing role widgets
+ * (some saying "System-wide" and others "Bank-level") on the same page.
+ * Logs a warning at startup for any violations.
+ */
+export function validateSiteMapScopes(): void {
+  for (const [route, config] of Object.entries(SITE_MAP)) {
+    const roles = config.required;
+    if (roles.length < 2) continue;
+
+    const hasBankScoped = roles.some((r) => r.bankScoped);
+    const hasSystemScoped = roles.some((r) => !r.bankScoped);
+
+    if (hasBankScoped && hasSystemScoped) {
+      logger.warn(
+        `SITE_MAP "${route}" mixes bankScoped and system-wide roles in its required list: ` +
+          roles.map((r) => `${r.role}${r.bankScoped ? " (bankScoped)" : ""}`).join(", ") +
+          `. This will show confusing role widgets. Separate into distinct pages or unify the scope.`,
+      );
+    }
+  }
+}
+
 /**
  * Look up page roles by route ID (stripping /(protected) prefix if present)
  */