Release v2.4.0 — team enforcement, page visibility, View As
This commit is contained in:
Jordan Ramos
28
CHANGELOG.md
28
CHANGELOG.md
@@ -6,6 +6,34 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this
|
||||
|
||||
---
|
||||
|
||||
## [v2.4.0] — 2026-06-24
|
||||
|
||||
### Added
|
||||
|
||||
- **Backend team enforcement** — `requireTeam()` middleware enforces team-scoped data access at the API level. Non-admin users can only access findings, compliance data, CARD assets, and Atlas metrics for their assigned BU teams. Users with no team assignment receive 403.
|
||||
- **Page visibility by group** — centralized matrix in `config/pageVisibility.js` controls which pages each user group can access. Read_Only sees Home + Knowledge Base only. Leadership adds Triage, Compliance, CCP Metrics, and Exports. Standard_User adds Jira and Archer Templates. Admin sees all.
|
||||
- **View As (impersonation)** — Admin users can temporarily view the app as another user via the eye icon in User Management. An amber banner shows the impersonated identity with an Exit button. Exercises real enforcement code paths for permission verification.
|
||||
- **Homepage UX improvements** — drag-and-drop document upload, recent activity feed with tabbed sidebar layout, extracted components for cleaner architecture.
|
||||
- **TLS/HTTPS support** — auto-detection of cert/key files enables HTTPS serving without configuration changes.
|
||||
- **Granite Loader on Compliance page** — CARD enrichment with pagination for compliance-driven Granite sheet generation.
|
||||
|
||||
### Changed
|
||||
|
||||
- **Team name mapping centralized** — `helpers/teams.js` now exports `TEAM_TO_IVANTI`, `IVANTI_TO_TEAM`, `teamToIvanti()`, and `ivantiToTeam()` for consistent mapping between short names and Ivanti BU identifiers.
|
||||
- **Atlas and Archive routes** — now use `requireTeam()` instead of client-provided `?teams=` query parameter for team scoping.
|
||||
- **Jira and Archer Template routes** — now enforce `requireGroup('Admin', 'Standard_User')` at router level for page-level access control.
|
||||
- **Activity feed** — impersonation events (`impersonate_start`, `impersonate_stop`) are hidden from non-Admin users.
|
||||
- **NavDrawer** — uses centralized `canAccessPage()` instead of inline `requiredGroups` properties.
|
||||
- **App.js** — generic route guard via `setCurrentPage` replaces per-page `isInGroup()` checks; localStorage validation ensures persisted page is accessible.
|
||||
|
||||
### Fixed
|
||||
|
||||
- **BulkHideToolbar** — no longer detaches from viewport when scrolling on Reporting page.
|
||||
- **BU drift checker** — skips history entries when `previous_bu` is unknown.
|
||||
- **Compliance upload limits** — raised to 100MB to accommodate larger xlsx files.
|
||||
|
||||
---
|
||||
|
||||
## [2.3.0] — 2026-06-16
|
||||
|
||||
### Added
|
||||
|
||||
Reference in New Issue
Block a user