Release Notes — May 10, 2026
This release delivers a permission system correction that fixes a 403 error on task routes for workspace admins, removes an over-privilege from the workspace member role, and standardizes unit roles across all existing workspaces.
Permission system correction
Bug fix: workspace admin received 403 on task routes
Workspace admin users were receiving a 403 Forbidden error when accessing task-related API endpoints. The root cause was a missing tasks.view permission in the workspace_admin role definition across existing unit databases.
The fix applies to all existing workspaces automatically — no action is required.
Bug fix: workspace member had tasks.delete over-privilege
The workspace_member role incorrectly included the tasks.delete permission. According to the intended permission model (and the published permission matrix), only Manager and Owner roles should be able to delete tasks.
This over-privilege has been removed from all existing workspace member roles.
Unit roles standardized
The member and manager unit-level roles have been synchronized to match the global role templates across all units:
member— now consistently includessettings.view,tasks.view, andrates.viewmanager— standardized weight (60) and permission set (≥ 12 permissions)
New units are unaffected going forward
The role copy service (roleCopy.service) now uses idempotent upserts when provisioning roles for newly created units. This ensures new units always start with the correct permission set even if provisioning is retried.
Summary of changes
| Layer | Change |
|---|---|
| Backend DB migration | workspace_admin: added tasks.view, reports.advanced to all existing workspace roles |
| Backend DB migration | workspace_member: removed tasks.delete over-privilege from all existing workspace roles |
| Backend DB migration | Unit member and manager roles synchronized from global templates across all units |
| Backend DB migration | WorkspaceMember.permissions denormalized array re-synced from updated workspace roles |
Backend roleCopy.service.ts | Unit-scope role and permission copy now uses upsert (idempotent) |
Backend syncPermissions.routes.ts | New admin endpoint: POST /api/v1/admin/sync-permissions/units/:unitId |