Gate Tools and OvenScheduler controllers (authorization audit #3)
Both were class-level [Authorize] only, so any authenticated user
(including ReadOnly/Employee/ShopFloor) could reach state-changing actions:
- ToolsController (32 POSTs: bulk CSV + QuickBooks import/export of
customers, invoices, financials, inventory, etc.) -> CanManageInvoices.
Closes a data-egress + bulk-import gap; low-privilege roles can no longer
export or import company data.
- OvenSchedulerController (9 POSTs: create/add/move/remove/start/complete/
delete batch) -> CanManageJobs, matching the shop-ops domain.
Audit #3 otherwise clean: ~75/80 controllers correctly gated, platform
surface consistently SuperAdminOnly, anonymous controllers intentional
(webhooks/public flows), PasskeyController correctly per-action gated, and
this session's earlier changes (SaveDefaultAccounts -> CompanyAdminOnly,
QB sign-fix -> SuperAdminOnly) verified correct.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
spouliot
4df85d75db