๐ฅ Staff Management โ
KitchenAsty includes a complete staff management system with role-based access control, email invitations, and admin UI filtering.
๐ญ Roles โ
Staff accounts have one of three roles:
| Role | Description |
|---|---|
| SUPER_ADMIN | ๐ Full access to everything, including staff management |
| MANAGER | ๐ข Access to all operational and configuration pages, but not staff management |
| STAFF | ๐ค Access to day-to-day operational pages only |
๐ Page Visibility by Role โ
| Page | Super Admin | Manager | Staff |
|---|---|---|---|
| ๐ Dashboard | โ | โ | โ |
| ๐ฆ Orders | โ | โ | โ |
| ๐ช Reservations | โ | โ | โ |
| โญ Reviews | โ | โ | โ |
| ๐ณ Kitchen | โ | โ | โ |
| ๐ Locations | โ | โ | |
| ๐ฝ๏ธ Menu | โ | โ | |
| ๐ท๏ธ Coupons | โ | โ | |
| โก Automation | โ | โ | |
| ๐ Loyalty | โ | โ | |
| ๐จ Design | โ | โ | |
| ๐ Legal | โ | โ | |
| ๐ฅ Staff | โ |
๐จ Invite Flow โ
Super Admins can invite new staff members by email:
- ๐ฅ๏ธ Navigate to Staff > Invite Staff in the admin panel
- โ๏ธ Enter the invitee's email, optional name, and desired role
- ๐ The system creates a secure single-use invite token (32-byte hex, 7-day expiry) and sends an email
- ๐ The invitee clicks the link, sets their name and password, and their account is created
- โ The invite token is marked as used and cannot be reused
Invite tokens are:
- ๐ Single-use โ marked with
usedAttimestamp on acceptance - โป๏ธ Revocable โ stored in the database as queryable records
- โฐ Time-limited โ expire after 7 days
๐ Staff List โ
The staff list page (Super Admin only) provides:
- ๐ Search by name or email
- ๐ญ Filter by role (Super Admin, Manager, Staff)
- ๐ Pagination with configurable page size
- ๐ Toggle active/inactive status directly from the list
- โ๏ธ Edit link to update staff details
โ๏ธ Edit Staff โ
Super Admins can update:
- ๐ Name
- ๐ญ Role (cannot change your own role)
- ๐ฑ Phone number
- ๐ Assigned location (dropdown)
- ๐ Active/inactive status (cannot deactivate yourself)
๐ฅ๏ธ Admin UI โ
The admin panel adapts based on the logged-in user's role:
- ๐งญ Navigation โ only shows links the user has permission to access
- ๐ก๏ธ Route guards โ
RequireRolecomponent redirects unauthorized users to the dashboard - ๐ค User info โ sidebar displays the user's name and role badge
- ๐ Header โ shows user name and logout button
๐ API Protection โ
All staff endpoints are protected with middleware:
- ๐
authenticateโ requires valid JWT - ๐ซ
requireStaffโ rejects customer tokens - ๐ญ
requireRole(...)โ checks the user's role against the allowed list
See the Staff API reference for endpoint details.