feat(permissions): implement role-based permission system #72

asithade · 2025-09-08T17:07:54Z

Summary

Implements a comprehensive role-based permission system for projects, committees, and meetings with conditional UI rendering based on user access levels.

Changes Made

Backend Permission Service

New AccessCheckService - Centralized permission validation service
Microservice Integration - Uses LFX V2 service /access-check endpoint
Service Integration - Added permission checks to project, committee, and meeting services

UI Permission States

Conditional Rendering - Action buttons now shown/hidden based on user permissions
Project-level Permissions - Create meeting/committee buttons for users with project write access
Committee-level Permissions - Edit/delete/member management for users with committee write access
Meeting-level Permissions - Edit button for meeting organizers
Read-only States - Users without permissions see clean UI without action buttons

Interface Updates

Added writer field to Project and Committee interfaces
Added organizer field to Meeting interface for permission tracking
New AccessCheckInterface for permission service integration

UI Enhancements

Added Zoom logo for meeting platform display
Improved visual indicators for meeting platforms

Related JIRA Tickets

LFXV2-437 - Epic: Implement Role-Based Permission System for Projects, Committees, and Meetings
LFXV2-438 - Implement Project-Level Write Permissions for Meetings and Committees
LFXV2-439 - Implement Committee-Level Write Permissions and Member Management
LFXV2-440 - Implement Meeting-Level Write Permissions and Registrant Management
LFXV2-441 - Implement Read-Only Permission UI States and User Feedback
LFXV2-442 - Implement Permission Service Integration and Caching

Technical Details

Permission Flow

Services call AccessCheckService.addAccessToResources() to add permission fields
AccessCheckService makes batch requests to LFX V2 service /access-check endpoint
UI components conditionally render based on writer/organizer flags
Users without permissions see clean read-only interface

Files Modified

Backend: 3 new service files, 4 modified services
Frontend: 15 modified components for conditional rendering
Shared: 3 interface updates, 1 new access check interface

Testing

All existing E2E tests pass
Build and lint checks successful
Permission states tested across all affected components

Breaking Changes

None - all changes are additive and backward compatible.

- Add AccessCheckService for backend permission validation - Integrate permission checks in project, committee, and meeting services - Add writer/organizer fields to shared interfaces - Implement conditional UI rendering based on user permissions - Hide action buttons for users without write access - Add Zoom logo for meeting platform display Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Asitha de Silva <[email protected]>

coderabbitai · 2025-09-08T17:08:04Z

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Introduces access-check capability via a new server-side AccessCheckService and integrates it into project, meeting, and committee services to annotate resources with per-user access (writer/organizer). Updates shared interfaces, several UI templates to conditionally render actions based on access, meeting stepper indexing (0→1-based), registrant type field, CI secret handling, docs, and minor styles.

Changes

Cohort / File(s)	Summary of Changes
CI workflow: AUTH secret mapping `.github/workflows/e2e-tests.yml`	Adds AUTH secret from AWS Secrets Manager; parses m2m_client_id/secret into masked env vars. Skips tests if absent.
Documentation and env samples `README.md`, `apps/lfx-pcc/.env.example`	Updates local env guidance (Auth0/M2M/Supabase/NATS/AI/testing), adds local endpoints, replaces legacy vars; renames auth header comment to Auth0/Authelia.
Styling and meeting platform card `apps/lfx-pcc/src/app/app.component.scss`, `apps/lfx-pcc/src/app/modules/meeting/meeting.component.html`	Adds menu icon width style. Replaces Zoom text with logo image; adds label/icon to Join Meeting buttons.
Committee UI: permission-gated actions `.../committees/committee-dashboard/committee-dashboard.component.html`, `.../committees/components/committee-members/committee-members.component.html`	Shows New Committee/Add Member/actions only for writer; non-writers see mailto button for members.
Committee dashboard TS cleanup `.../committees/committee-dashboard/committee-dashboard.component.ts`	Removes menuItems property and initialization method.
Committee table: reactive action menu and gating `.../committees/components/committee-table/committee-table.component.html`, `.../committee-table/committee-table.component.ts`	Gates Edit/Ellipsis buttons by writer; adds tooltip; converts action menu to computed Signal with conditional Delete; imports TooltipModule.
Project dashboard/menu: permission-gated creation `.../project/dashboard/project-dashboard/project.component.html`, `.../project/dashboard/project-dashboard/project.component.ts`, `.../project/meetings/meeting-dashboard/meeting-dashboard.component.html`, `.../project/meetings/meeting-dashboard/meeting-dashboard.component.ts`	Shows Create Meeting/Committee only for writers; refactors menu item assembly; consolidates rxjs imports.
Meeting card: organizer-scoped actions `.../project/meetings/components/meeting-card/meeting-card.component.html`, `.../meeting-card/meeting-card.component.ts`	Restricts header actions and Add Guests to organizer; adjusts registrants label; adds organizer-only Delete; removes/limits edit/admin items for non-organizers.
Meeting manage: stepper reindexing to 1-based `.../project/meetings/components/meeting-manage/meeting-manage.component.html`, `.../meeting-manage/meeting-manage.component.ts`	Shifts steps from 0–4 to 1–5; updates guards, boundaries, title auto-gen trigger, and validation to 1-based indices.
Meeting registrants payload `.../project/meetings/components/meeting-registrants/meeting-registrants.component.ts`	Changes added registrant type from 'individual' to 'direct'.
Client meeting service logging `apps/lfx-pcc/src/app/shared/services/meeting.service.ts`	Removes success tap(console.log) in createMeeting pipeline.
Server: new AccessCheck service `apps/lfx-pcc/src/server/services/access-check.service.ts`	Adds AccessCheckService to call LFX V2 /access-check via MicroserviceProxyService; batch/single checks; helpers to annotate resources with access flags.
Server: integrate access checks `apps/lfx-pcc/src/server/services/project.service.ts`, `.../meeting.service.ts`, `.../committee.service.ts`	Instantiates AccessCheckService; enriches fetched projects/meetings/committees with access flags (writer/organizer) before returning.
Shared interfaces: access and models `packages/shared/src/interfaces/access-check.interface.ts`, `packages/shared/src/interfaces/index.ts`, `packages/shared/src/interfaces/project.interface.ts`, `packages/shared/src/interfaces/meeting.interface.ts`, `packages/shared/src/interfaces/committee.interface.ts`	Adds access-check request/response/types and re-export; adds writer?: boolean to Project/Committee; adds organizer?: boolean to Meeting; MeetingRegistrant type 'individual'→'direct' and optional committee_uid.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User as Client (Browser/API)
  participant Server as PCC Server Service (Project/Meeting/Committee)
  participant ACS as AccessCheckService
  participant Proxy as MicroserviceProxyService
  participant LFX as LFX_V2_SERVICE (/access-check)

  User->>Server: GET resources (e.g., meetings)
  Server->>Server: Fetch resources from data source
  Server->>ACS: addAccessToResources(req, resources, type, accessType)
  ACS->>ACS: Build requests payload
  ACS->>Proxy: POST /access-check { requests }
  Proxy->>LFX: Forward request
  LFX-->>Proxy: { results: [...] }
  Proxy-->>ACS: API response
  ACS->>ACS: Parse results → Map<id, hasAccess>
  ACS-->>Server: Resources annotated (e.g., writer/organizer flags)
  Server-->>User: Enriched resources
  note over Server,User: On API error, returns resources with access=false

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

feat(ui): implement meeting join dashboard with public access #69 — Also adds AUTH secret handling in e2e-tests workflow with M2M client extraction; overlaps CI changes.
feat(api): migrate committee endpoints from supabase to lfx v2 service #66 — Modifies server-side committee service and microservice integration; intersects with newly added AccessCheckService usage.
feat(api): implement comprehensive meeting registrant management system #63 — Adjusts meeting registrant surface and adds Manage Guests step; relates to stepper reindexing and registrant type changes.

✨ Finishing Touches

📝 Generate Docstrings

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch feat/LFXV2-437

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Copilot

Pull Request Overview

This PR implements a comprehensive role-based permission system for projects, committees, and meetings with conditional UI rendering based on user access levels. The implementation adds permission fields to interfaces, creates a centralized AccessCheckService for validation, and updates UI components to conditionally show/hide action buttons based on user permissions.

Adds writer field to Project and Committee interfaces, organizer field to Meeting interface
Implements new AccessCheckService using LFX V2 service /access-check endpoint for permission validation
Updates UI components to conditionally render action buttons based on user permissions

Reviewed Changes

Copilot reviewed 28 out of 29 changed files in this pull request and generated 5 comments.

File	Description
packages/shared/src/interfaces/*	Added permission fields to Project, Committee, Meeting interfaces and new AccessCheck interface
apps/lfx-pcc/src/server/services/*	Added AccessCheckService and integrated permission checks into existing services
apps/lfx-pcc/src/app/modules/project/*	Updated UI components to conditionally render based on permission fields
apps/lfx-pcc/src/app/shared/services/meeting.service.ts	Removed debug logging statement

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

packages/shared/src/interfaces/meeting.interface.ts

...x-pcc/src/app/modules/project/meetings/components/meeting-manage/meeting-manage.component.ts

...pcc/src/app/modules/project/meetings/components/meeting-manage/meeting-manage.component.html

apps/lfx-pcc/src/app/modules/meeting/meeting.component.html

apps/lfx-pcc/src/server/services/access-check.service.ts

github-actions · 2025-09-08T17:10:01Z

⏭️ E2E Tests Skipped

Browser: chromium
Status: skipped

E2E tests were skipped (no test credentials provided).

Test Configuration

Node.js: 22
Command: e2e
Browser: chromium
Base URL: http://localhost:4200

Signed-off-by: Asitha de Silva <[email protected]>

github-actions · 2025-09-08T17:41:19Z

🧹 Deployment Removed

The deployment for PR #72 has been removed.

coderabbitai

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

apps/lfx-pcc/src/app/modules/project/dashboard/project-dashboard/project.component.ts (1)
540-571: Make Quick Actions menu reactive
Replace the static array with a computed signal and update the template accordingly:
--- a/apps/lfx-pcc/src/app/modules/project/dashboard/project-dashboard/project.component.ts
+++ b/apps/lfx-pcc/src/app/modules/project/dashboard/project-dashboard/project.component.ts
@@
-  // Menu items for quick actions
-  public readonly quickActionMenuItems: MenuItem[] = this.initializeQuickActionMenuItems();
+  // Menu items for quick actions (reactive to project changes)
+  public readonly quickActionMenuItems = computed<MenuItem[]>(() =>
+    this.initializeQuickActionMenuItems()
+  );
--- a/apps/lfx-pcc/src/app/modules/project/dashboard/project-dashboard/project.component.html
+++ b/apps/lfx-pcc/src/app/modules/project/dashboard/project-dashboard/project.component.html
@@
-          <lfx-menu [model]="quickActionMenuItems" styleClass="w-full border-0 p-0"></lfx-menu>
+          <lfx-menu [model]="quickActionMenuItems()" styleClass="w-full border-0 p-0"></lfx-menu>
After applying, verify that toggling a user’s writer permission adds/removes the “Create Meeting” and “Create Committee” items without a full page reload.
apps/lfx-pcc/src/app/modules/project/meetings/meeting-dashboard/meeting-dashboard.component.ts (1)
258-281: 'Public Calendar' menu item has no action

The item is inert (no routerLink/command). Provide a command to switch to Calendar view and set visibility to public.
     items.push(
       {
         label: this.meetingListView() === 'past' ? 'Upcoming Meetings' : 'Meeting History',
         icon: 'fa-light fa-calendar-days text-sm',
         command: () => this.onMeetingListViewChange(this.meetingListView() === 'upcoming' ? 'past' : 'upcoming'),
       },
       {
         label: 'Public Calendar',
         icon: 'fa-light fa-calendar-check text-sm',
-      }
+        command: () => {
+          this.onVisibilityChange('public');
+          this.currentView.set('calendar');
+        }
+      }
     );
apps/lfx-pcc/src/app/modules/project/meetings/components/meeting-card/meeting-card.component.ts (1)
335-347: Avoid trailing separator when user isn’t organizer

When not organizer, menu shows “Join Meeting” followed by a dangling separator.
-        baseItems.push({
-          separator: true,
-        });
+        if (this.meeting()?.organizer) {
+          baseItems.push({ separator: true });
+        }

♻️ Duplicate comments (4)

apps/lfx-pcc/src/app/modules/meeting/meeting.component.html (1)

264-266: Duplicate label: remove inner text when using label attribute

Keep a single source of truth for the button label.

-                      <lfx-button size="small" [href]="meeting().join_url" severity="primary" label="Join Meeting" icon="fa-light fa-sign-in"
-                        >Join Meeting</lfx-button
-                      >
+                      <lfx-button size="small" [href]="meeting().join_url" severity="primary" label="Join Meeting" icon="fa-light fa-sign-in">
+                      </lfx-button>

apps/lfx-pcc/src/app/modules/project/meetings/components/meeting-manage/meeting-manage.component.html (1)

28-76: Stepper/test-id/indicator are out of sync (1-based vs 0-based).

If currentStep is 1-based, the header should not add 1. Also tests still use 0-based panel ids (panel-0..panel-4), which keeps the previous mismatch noted earlier.

Apply:
- <div class="text-sm text-slate-500" data-testid="meeting-manage-step-indicator">Step {{ currentStep() + 1 }} of {{ totalSteps }}</div>
+ <div class="text-sm text-slate-500" data-testid="meeting-manage-step-indicator">Step {{ currentStep() }} of {{ totalSteps }}</div>
And either:

keep test ids 0-based but document it in the TS (and tests), or

switch panel test ids to 1-based to match the visible steps.

apps/lfx-pcc/src/server/services/access-check.service.ts (2)

137-162: Return type claims writer even when accessType is organizer/viewer

This mismatches call sites and weakens type safety. Use a generic flag keyed by accessType and align lookup with composite key.

-  public async addAccessToResources<T extends { uid: string }>(
+  public async addAccessToResources<T extends { uid: string }, A extends AccessCheckAccessType = 'writer'>(
     req: Request,
     resources: T[],
     resourceType: AccessCheckResourceType,
-    accessType: AccessCheckAccessType = 'writer'
-  ): Promise<(T & { writer?: boolean })[]> {
+    accessType: A = 'writer' as A
+  ): Promise<Array<T & Record<A, boolean>>> {
@@
-    return resources.map((resource) => ({
-      ...resource,
-      [accessType]: accessResults.get(resource.uid) || false,
-    }));
+    return resources.map((resource) => ({
+      ...resource,
+      [accessType]: accessResults.get(`${resourceType}:${resource.uid}#${accessType}`) || false,
+    })) as Array<T & Record<A, boolean>>;

Add near imports (outside this hunk) for clarity:

type AccessKey = `${AccessCheckResourceType}:${string}#${AccessCheckAccessType}`;

172-188: Same type issue for single-resource variant; also align key

Mirror the generic return type and composite key.

-  public async addAccessToResource<T extends { uid: string }>(
+  public async addAccessToResource<T extends { uid: string }, A extends AccessCheckAccessType = 'writer'>(
     req: Request,
     resource: T,
     resourceType: AccessCheckResourceType,
-    accessType: AccessCheckAccessType = 'writer'
-  ): Promise<T & { writer?: boolean }> {
-    const hasAccess = await this.checkSingleAccess(req, {
+    accessType: A = 'writer' as A
+  ): Promise<T & Record<A, boolean>> {
+    const hasAccess = await this.checkSingleAccess(req, {
       resource: resourceType,
       id: resource.uid,
       access: accessType,
     });
 
     return {
       ...resource,
-      [accessType]: hasAccess,
-    };
+      [accessType]: hasAccess,
+    } as T & Record<A, boolean>;

🧹 Nitpick comments (23)

apps/lfx-pcc/.env.example (1)
6-13: Clarify mixed Auth0/Authelia guidance near the renamed header.

The header now mentions Auth0/Authelia, but the note still says “Get these values from your Auth0 dashboard.” Suggest clarifying Authelia-specific sourcing and preserving the PCC_AUTH0_* naming for compatibility.

Apply:
-# Auth0/Authelia Authentication Configuration
-# Get these values from your Auth0 dashboard
+# Auth0/Authelia Authentication Configuration
+# For Auth0: get these from your tenant dashboard.
+# For Authelia (local): see README “Local Development” for the default client (id: lfx) and how to retrieve the secret.
+# Note: variable names use PCC_AUTH0_* for backward compatibility.
.github/workflows/e2e-tests.yml (1)

98-99: Good addition of M2M secret; also update messaging and harden validation step.

Add the new AUTH secret to the “E2E tests skipped” guidance so users know to configure it.

Consider set -euo pipefail and jq -e in “Validate required secrets” to fail-fast on parsing errors.

Suggested tweaks (no diff since outside this hunk):

In “E2E tests skipped” step, add:

/cloudops/managed-secrets/auth0/LFX_V2_Meeting_Join_M2M (AUTH M2M configuration)

In the validation script header, prepend:
set -euo pipefail
and change jq reads to use: jq -re '...'
README.md (3)
64-71: Strengthen local secret retrieval guidance and secret generation.

The kubectl snippet prints client secret to stdout and may land in shell history. Add a caution and an example that writes to a temp file or uses a safer method.

Provide a concrete command to generate PCC_AUTH0_SECRET.

Apply:
-     - Local Development: The default client ID is `lfx` and you can get the client secret from the k8s via `k get secrets authelia-clients -n lfx -o jsonpath='{.data.lfx}' | base64 --decode`
+     - Local Development: Default client ID is `lfx`. Retrieve the client secret from Kubernetes:
+       - Caution: avoid leaking secrets via shell history/stdout.
+       - Example:
+         ```bash
+         kubectl get secret authelia-clients -n lfx -o jsonpath='{.data.lfx}' | base64 --decode > /tmp/lfx-client-secret && chmod 600 /tmp/lfx-client-secret
+         ```
@@
-   - Set `PCC_AUTH0_SECRET` to a sufficiently long random string (32+ characters)
-     - Generate a random 32 characters long string
+   - Set `PCC_AUTH0_SECRET` to a strong random string (≥32 chars)
+     - Example:
+       ```bash
+       openssl rand -base64 48  # ~64 chars
+       ```
83-86: Update wording for LFX_V2_SERVICE description.

“query service endpoint” may be outdated; the PR refers to the LFX V2 service. Suggest rewording to avoid confusion.
-   - Set `LFX_V2_SERVICE` to your query service endpoint
+   - Set `LFX_V2_SERVICE` to your LFX V2 API gateway/service endpoint
98-100: Add an explicit production warning for NODE_TLS_REJECT_UNAUTHORIZED.

It’s easy to copy/paste into non-dev environments. Add a do-not-use-in-prod note.
-   - Set `NODE_TLS_REJECT_UNAUTHORIZED=0` when using Authelia for local authentication
+   - Set `NODE_TLS_REJECT_UNAUTHORIZED=0` when using Authelia for local authentication
+     - Warning: do not set this in production.
packages/shared/src/interfaces/project.interface.ts (1)
63-64: Mark response-only permission as readonly

Prevents accidental mutation on the client.
-  /** Write access permission for current user (response only) */
-  writer?: boolean;
+  /** Write access permission for current user (response only) */
+  readonly writer?: boolean;
packages/shared/src/interfaces/meeting.interface.ts (1)
89-90: Mark response-only permission as readonly

Same pattern as Project.writer.
-  /** Write access permission for current user (response only) */
-  organizer?: boolean;
+  /** Write access permission for current user (response only) */
+  readonly organizer?: boolean;
apps/lfx-pcc/src/app/modules/meeting/meeting.component.html (1)
132-134: Nit: add intrinsic size and lazy decoding to avoid CLS

Minor perf/accessibility improvement for the Zoom logo.
-                <img src="/images/zoom-logo.svg" alt="Zoom" class="w-auto h-4 mt-2 object-contain" />
+                <img src="/images/zoom-logo.svg" alt="Zoom" class="w-auto h-4 mt-2 object-contain"
+                     height="16" loading="lazy" decoding="async" />
apps/lfx-pcc/src/app/modules/project/meetings/components/meeting-manage/meeting-manage.component.html (1)

28-28: Prefer LFX wrappers over raw PrimeNG in app templates.

p-stepper/p-tabs/p-confirmDialog appear directly. If LFX wrappers exist, switch to them for consistency with design system.
packages/shared/src/interfaces/index.ts (1)
49-50: Drop access-check barrel re-export and update consumers
Remove the line in packages/shared/src/interfaces/index.ts:
export * from './access-check.interface';
and change all imports to point directly at the file, for example:
import {
  AccessCheckRequest,
  AccessCheckApiRequest,
  AccessCheckApiResponse,
  AccessCheckResourceType,
  AccessCheckAccessType
} from '@lfx-pcc/shared/interfaces/access-check.interface';
This refactor touches many files in both the app and server layers—please update each import accordingly.
packages/shared/src/interfaces/committee.interface.ts (1)
15-16: LGTM—writer is response-only metadata; verified no create/update payload builders include it.
Optional: mark as readonly to discourage client mutation:
-  writer?: boolean;
+  readonly writer?: boolean;
apps/lfx-pcc/src/app/modules/project/dashboard/project-dashboard/project.component.html (1)
202-211: Good: “Create Meeting” CTA gated by project writer.

Consider adding a data-testid for reliable targeting, e.g., data-testid="dashboard-create-meeting-cta".
- <lfx-button
+ <lfx-button
+   data-testid="dashboard-create-meeting-cta"
    label="Create Meeting"
    icon="fa-light fa-calendar-plus"
    severity="secondary"
    size="small"
    [routerLink]="['meetings/create']"
    [relativeTo]="activatedRoute">
apps/lfx-pcc/src/app/modules/project/meetings/components/meeting-card/meeting-card.component.html (1)
56-74: Gating admin actions by organizer looks correct.

Nice narrowing with project()?.slug && meeting().organizer before showing Edit and Actions.

Optionally also render the popup menu only when organizer to keep it out of the DOM for screen readers:
- <lfx-menu #actionMenu [model]="actionMenuItems()" [popup]="true" appendTo="body"></lfx-menu>
+ @if (meeting().organizer) {
+   <lfx-menu #actionMenu [model]="actionMenuItems()" [popup]="true" appendTo="body"></lfx-menu>
+ }
apps/lfx-pcc/src/app/modules/project/meetings/meeting-dashboard/meeting-dashboard.component.html (1)
122-128: Good: “Create Meeting” gated in empty state.

Add a data-testid to the CTA for tests.
- <lfx-button
+ <lfx-button
+   data-testid="meeting-dashboard-create-cta"
    label="Create Meeting"
    icon="fa-light fa-calendar-plus"
    severity="secondary"
    routerLink="/project/{{ project()?.slug }}/meetings/create"></lfx-button>
apps/lfx-pcc/src/app/modules/project/committees/components/committee-members/committee-members.component.html (2)
10-12: Add data-testid and aria-label to the Add Member button

Helps E2E reliability and accessibility per guidelines.
-        <lfx-button label="Add Member" icon="fa-light fa-user-plus" size="small" severity="secondary" (onClick)="openAddMemberDialog()"> </lfx-button>
+        <lfx-button
+          label="Add Member"
+          icon="fa-light fa-user-plus"
+          size="small"
+          severity="secondary"
+          (onClick)="openAddMemberDialog()"
+          [attr.data-testid]="'committee-members-add'"
+          [attr.aria-label]="'Add Member'">
+        </lfx-button>
167-177: Colspan should adapt to voting columns

When voting columns are enabled, header count changes. Use dynamic colspan to avoid layout issues.
-              <td colspan="6" class="text-center py-8">
+              <td [attr.colspan]="committee()?.enable_voting ? 7 : 5" class="text-center py-8">
apps/lfx-pcc/src/app/modules/project/meetings/meeting-dashboard/meeting-dashboard.component.ts (1)
168-178: Ensure meetings load when project arrives asynchronously

Current initialization branches on this.project() at construction time; if project resolves later, streams may remain on of([]) until manual refresh.

Consider triggering refresh when project becomes available:
// Add once in constructor after setting this.project:
effect(() => {
  if (this.project()?.uid) {
    this.refresh.next();
  }
});
Or include project dependency in the observable chain (happy to draft a full patch if you prefer).

Also applies to: 181-191
apps/lfx-pcc/src/server/services/meeting.service.ts (1)
82-86: Type the access-enrichment helpers to reflect 'organizer'

AccessCheckService currently returns T & { writer?: boolean }, which under-represents the actual flag when accessType='organizer'. Adjust generics for accuracy.

Proposed change in apps/lfx-pcc/src/server/services/access-check.service.ts:
-  public async addAccessToResources<T extends { uid: string }>(
+  public async addAccessToResources<T extends { uid: string }, K extends AccessCheckAccessType = 'writer'>(
     req: Request,
     resources: T[],
     resourceType: AccessCheckResourceType,
-    accessType: AccessCheckAccessType = 'writer'
-  ): Promise<(T & { writer?: boolean })[]> {
+    accessType: K = 'writer' as K
+  ): Promise<(T & Record<K, boolean>)[]> {
     …
-    return resources.map((resource) => ({
+    return resources.map((resource) => ({
       ...resource,
-      [accessType]: accessResults.get(resource.uid) || false,
+      [accessType]: accessResults.get(resource.uid) || false,
     }));
   }
-  public async addAccessToResource<T extends { uid: string }>(
+  public async addAccessToResource<T extends { uid: string }, K extends AccessCheckAccessType = 'writer'>(
     req: Request,
     resource: T,
     resourceType: AccessCheckResourceType,
-    accessType: AccessCheckAccessType = 'writer'
-  ): Promise<T & { writer?: boolean }> {
+    accessType: K = 'writer' as K
+  ): Promise<T & Record<K, boolean>> {
     …
-    return {
+    return {
       ...resource,
-      [accessType]: hasAccess,
+      [accessType]: hasAccess,
     };
   }
apps/lfx-pcc/src/app/modules/project/committees/components/committee-table/committee-table.component.ts (1)

14-20: Prefer LFX tooltip wrapper over direct PrimeNG import

Guideline: use LFX wrapper components instead of PrimeNG directly in apps/lfx-pcc. If an LFX Tooltip exists, switch to it.

apps/lfx-pcc/src/server/services/committee.service.ts (1)

63-69: Minor: align error path with actual request

The error metadata path points to /committees/${committeeId} while the request hits /query/resources. Align for clearer logs.
apps/lfx-pcc/src/app/modules/project/meetings/components/meeting-card/meeting-card.component.ts (1)
312-334: Gate actions consistently; Add Guests by writer, Edit by organizer; guard missing slug

Keeps Edit for organizers per spec, but lets writers manage registrants. Also avoid pushing Edit with undefined slug.
-      if (!this.pastMeeting()) {
-        if (this.meeting()?.organizer) {
-          baseItems.push({
-            label: 'Add Guests',
-            icon: 'fa-light fa-plus',
-            command: () => this.openAddRegistrantModal(),
-          });
-
-          baseItems.push({
-            label: this.meeting().meeting_committees && this.meeting().meeting_committees!.length > 0 ? 'Manage Committees' : 'Connect Committees',
-            icon: 'fa-light fa-people-group',
-            command: () => this.openCommitteeModal(),
-          });
-
-          const projectSlug = this.project()?.slug;
-          baseItems.push({
-            label: 'Edit',
-            icon: 'fa-light fa-edit',
-            routerLink: ['/project', projectSlug, 'meetings', this.meeting().uid, 'edit'],
-          });
-        }
+      if (!this.pastMeeting()) {
+        const canManageRegistrants = !!(this.meeting()?.writer || this.meeting()?.organizer);
+        if (canManageRegistrants) {
+          baseItems.push({
+            label: 'Add Guests',
+            icon: 'fa-light fa-plus',
+            command: () => this.openAddRegistrantModal(),
+          });
+        }
+        if (this.meeting()?.organizer) {
+          baseItems.push({
+            label:
+              this.meeting().meeting_committees && this.meeting().meeting_committees!.length > 0
+                ? 'Manage Committees'
+                : 'Connect Committees',
+            icon: 'fa-light fa-people-group',
+            command: () => this.openCommitteeModal(),
+          });
+          const projectSlug = this.project()?.slug;
+          if (projectSlug) {
+            baseItems.push({
+              label: 'Edit',
+              icon: 'fa-light fa-edit',
+              routerLink: ['/project', projectSlug, 'meetings', this.meeting().uid, 'edit'],
+            });
+          }
+        }
apps/lfx-pcc/src/server/services/access-check.service.ts (2)

31-55: Add dedup, batching, and TTL caching to reduce load

Before calling the API: deduplicate identical checks, batch large inputs (e.g., chunks of 100–200), and cache results per user + “type:id#access” with short TTL and invalidation hooks for write ops. This will improve latency and avoid hammering LFX V2.

88-97: Avoid logging usernames in access_details

Usernames may be PII; consider dropping them or guarding behind a debug flag.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f342841 and a3968a0.

⛔ Files ignored due to path filters (1)

apps/lfx-pcc/public/images/zoom-logo.svg is excluded by !**/*.svg

📒 Files selected for processing (29)

.github/workflows/e2e-tests.yml (1 hunks)
README.md (1 hunks)
apps/lfx-pcc/.env.example (1 hunks)
apps/lfx-pcc/src/app/app.component.scss (1 hunks)
apps/lfx-pcc/src/app/modules/meeting/meeting.component.html (2 hunks)
apps/lfx-pcc/src/app/modules/project/committees/committee-dashboard/committee-dashboard.component.html (1 hunks)
apps/lfx-pcc/src/app/modules/project/committees/committee-dashboard/committee-dashboard.component.ts (0 hunks)
apps/lfx-pcc/src/app/modules/project/committees/components/committee-members/committee-members.component.html (2 hunks)
apps/lfx-pcc/src/app/modules/project/committees/components/committee-table/committee-table.component.html (2 hunks)
apps/lfx-pcc/src/app/modules/project/committees/components/committee-table/committee-table.component.ts (4 hunks)
apps/lfx-pcc/src/app/modules/project/dashboard/project-dashboard/project.component.html (1 hunks)
apps/lfx-pcc/src/app/modules/project/dashboard/project-dashboard/project.component.ts (2 hunks)
apps/lfx-pcc/src/app/modules/project/meetings/components/meeting-card/meeting-card.component.html (2 hunks)
apps/lfx-pcc/src/app/modules/project/meetings/components/meeting-card/meeting-card.component.ts (3 hunks)
apps/lfx-pcc/src/app/modules/project/meetings/components/meeting-manage/meeting-manage.component.html (4 hunks)
apps/lfx-pcc/src/app/modules/project/meetings/components/meeting-manage/meeting-manage.component.ts (8 hunks)
apps/lfx-pcc/src/app/modules/project/meetings/components/meeting-registrants/meeting-registrants.component.ts (1 hunks)
apps/lfx-pcc/src/app/modules/project/meetings/meeting-dashboard/meeting-dashboard.component.html (1 hunks)
apps/lfx-pcc/src/app/modules/project/meetings/meeting-dashboard/meeting-dashboard.component.ts (3 hunks)
apps/lfx-pcc/src/app/shared/services/meeting.service.ts (1 hunks)
apps/lfx-pcc/src/server/services/access-check.service.ts (1 hunks)
apps/lfx-pcc/src/server/services/committee.service.ts (3 hunks)
apps/lfx-pcc/src/server/services/meeting.service.ts (3 hunks)
apps/lfx-pcc/src/server/services/project.service.ts (3 hunks)
packages/shared/src/interfaces/access-check.interface.ts (1 hunks)
packages/shared/src/interfaces/committee.interface.ts (1 hunks)
packages/shared/src/interfaces/index.ts (1 hunks)
packages/shared/src/interfaces/meeting.interface.ts (2 hunks)
packages/shared/src/interfaces/project.interface.ts (1 hunks)

💤 Files with no reviewable changes (1)

apps/lfx-pcc/src/app/modules/project/committees/committee-dashboard/committee-dashboard.component.ts

🧰 Additional context used

📓 Path-based instructions (8)

**/*.{ts,tsx}