Skip to content

feat(applets): require SCC authorization for PPE applets#454

Open
tomas-goncalves wants to merge 1 commit intosc0v:masterfrom
tomas-goncalves:feat/ppe-applet-authorization
Open

feat(applets): require SCC authorization for PPE applets#454
tomas-goncalves wants to merge 1 commit intosc0v:masterfrom
tomas-goncalves:feat/ppe-applet-authorization

Conversation

@tomas-goncalves
Copy link
Copy Markdown
Contributor

@tomas-goncalves tomas-goncalves commented Apr 13, 2026

Summary

  • PPE collection (authorize! :update, Checkout) and distribution (authorize! :create, Checkout) were missing authorization checks despite performing SCC-only operations
  • Follows the existing push_broadcast pattern (before_action :require_scc)
  • Wristband lookup and push broadcast were already correctly authorized

Test plan

  • Non-SCC users are redirected away from /ppe-collection and /ppe-distribution
  • SCC users can still access and use both applets normally

@tomas-goncalves
feat(applets): require SCC authorization for PPE applets
001772d 
PPE collection and distribution both create/update Checkout and Tool
records, which are SCC-only operations per the Ability model. Neither
controller had any authorization check. Added before_action :require_scc
using authorize! consistent with the push_broadcast applet pattern.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tomas-goncalves