From 8df8e30092904b30bf08e270d203af3b9a76e8cf Mon Sep 17 00:00:00 2001
From: Marco Gallegos <marco.gallegos@outlook.com>
Date: Thu, 4 Sep 2025 19:49:55 -0600
Subject: [PATCH] fix: Correct user role permissions and restrict
 dashboard/settings access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix setupUIForRole selector to use correct data-tab attributes
- Hide Dashboard and Settings tabs for regular users (non-admin)
- Remove delete buttons from sales table for regular users
- Set initial tab to 'Ventas' for regular users instead of Dashboard
- Add comprehensive logging for role setup debugging
- Update cache buster to v=101.0 for proper browser refresh

Security improvements:
- Regular users: Access to Ventas, Clientes, Productos only
- Admin users: Full access to all sections including Dashboard/Settings
- Proper enforcement of user role restrictions in UI

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 app.js     | 42 ++++++++++++++++++++++++++++++------------
 index.html |  2 +-
 2 files changed, 31 insertions(+), 13 deletions(-)

diff --git a/app.js b/app.js
index ace20bb..d574600 100644
--- a/app.js
+++ b/app.js
@@ -1,5 +1,5 @@
 import { load, save, remove, KEY_DATA, KEY_SETTINGS, KEY_CLIENTS } from './storage.js';
-import { renderTicketAndPrint } from './print.js?v=99.9';
+import { renderTicketAndPrint } from './print.js?v=101.0';
 
 // --- UTILITIES ---
 function escapeHTML(str) {
@@ -818,12 +818,15 @@ function renderTable() {
     tr.insertCell().textContent = Number(mov.monto).toFixed(2);
 
     const actionsCell = tr.insertCell();
-    const deleteButton = document.createElement('button');
-    deleteButton.className = 'action-btn';
-    deleteButton.dataset.id = mov.id;
-    deleteButton.dataset.action = 'delete';
-    deleteButton.textContent = 'Eliminar';
-    actionsCell.appendChild(deleteButton);
+    // Solo mostrar botón de eliminar para administradores
+    if (currentUser && currentUser.role === 'admin') {
+      const deleteButton = document.createElement('button');
+      deleteButton.className = 'action-btn';
+      deleteButton.dataset.id = mov.id;
+      deleteButton.dataset.action = 'delete';
+      deleteButton.textContent = 'Eliminar';
+      actionsCell.appendChild(deleteButton);
+    }
   });
 }
 
@@ -1594,11 +1597,16 @@ function handleTestTicket() {
 }
 
 function setupUIForRole(role) {
-    const dashboardTab = document.querySelector('[data-tab="dashboard"]');
-    const settingsTab = document.querySelector('[data-tab="settings"]');
+    console.log('SETUP UI FOR ROLE:', role);
+    
+    const dashboardTab = document.querySelector('[data-tab="tab-dashboard"]');
+    const settingsTab = document.querySelector('[data-tab="tab-settings"]');
     const userManagementSection = document.getElementById('user-management-section');
     const staffInput = document.getElementById('m-staff');
     const dbInfoIcon = document.getElementById('db-info-icon');
+    
+    console.log('Dashboard tab found:', !!dashboardTab);
+    console.log('Settings tab found:', !!settingsTab);
 
     if (role === 'admin') {
         if (dashboardTab) dashboardTab.style.display = 'block';
@@ -1617,8 +1625,16 @@ function setupUIForRole(role) {
             })
             .catch(err => console.error(err));
     } else {
-        if (dashboardTab) dashboardTab.style.display = 'block';
-        if (settingsTab) settingsTab.style.display = 'block';
+        // Usuario regular: NO acceso a Dashboard y Configuración
+        console.log('CONFIGURANDO PARA USER REGULAR - OCULTANDO TABS');
+        if (dashboardTab) {
+            dashboardTab.style.display = 'none';
+            console.log('Dashboard tab oculto');
+        }
+        if (settingsTab) {
+            settingsTab.style.display = 'none';
+            console.log('Settings tab oculto');
+        }
         if (userManagementSection) userManagementSection.style.display = 'none';
         if (dbInfoIcon) dbInfoIcon.style.display = 'none';
     }
@@ -1824,7 +1840,9 @@ async function initializeApp() {
     setupUIForRole(currentUser.role);
     
     console.log('Activating initial tab...');
-    activateTab('tab-dashboard');
+    // Usuario regular va a ventas, admin va a dashboard
+    const initialTab = currentUser.role === 'admin' ? 'tab-dashboard' : 'tab-ventas';
+    activateTab(initialTab);
 
     console.log('Activating client sub-tab...');
     activateClientSubTab('sub-tab-register');
diff --git a/index.html b/index.html
index cca7392..5f63e71 100644
--- a/index.html
+++ b/index.html
@@ -629,6 +629,6 @@
   <div id="printArea" class="no-print"></div>
 
   <script src="https://cdn.jsdelivr.net/npm/qrcode@1/build/qrcode.min.js"></script>
-  <script type="module" src="app.js?v=99.9"></script>
+  <script type="module" src="app.js?v=101.0"></script>
 </body>
 </html>
\ No newline at end of file