Merge pull request 'v20260113-05-reporter-menu-restrict' (#110) from v20260113-05-reporter-menu-restrict into main

Reviewed-on: #110

.last-branch

@@ -1 +1 @@
-v20260113-04-edge-initial-setup-users-exist
+v20260113-05-reporter-menu-restrict

containers/backupchecks/src/backend/app/main/routes_feedback.py

@@ -4,7 +4,7 @@ from .routes_shared import _format_datetime
 
 @main_bp.route("/feedback")
 @login_required
-@roles_required("admin", "operator", "viewer")
+@roles_required("admin", "operator", "reporter", "viewer")
 def feedback_page():
     item_type = (request.args.get("type") or "").strip().lower()
     if item_type not in ("", "bug", "feature"):
@@ -110,7 +110,7 @@ def feedback_page():
 
 @main_bp.route("/feedback/new", methods=["GET", "POST"])
 @login_required
-@roles_required("admin", "operator", "viewer")
+@roles_required("admin", "operator", "reporter", "viewer")
 def feedback_new():
     if request.method == "POST":
         item_type = (request.form.get("item_type") or "").strip().lower()
@@ -145,7 +145,7 @@ def feedback_new():
 
 @main_bp.route("/feedback/<int:item_id>")
 @login_required
-@roles_required("admin", "operator", "viewer")
+@roles_required("admin", "operator", "reporter", "viewer")
 def feedback_detail(item_id: int):
     item = FeedbackItem.query.get_or_404(item_id)
     if item.deleted_at is not None:
@@ -200,7 +200,7 @@ def feedback_detail(item_id: int):
 
 @main_bp.route("/feedback/<int:item_id>/reply", methods=["POST"])
 @login_required
-@roles_required("admin", "operator", "viewer")
+@roles_required("admin", "operator", "reporter", "viewer")
 def feedback_reply(item_id: int):
     item = FeedbackItem.query.get_or_404(item_id)
     if item.deleted_at is not None:
@@ -233,7 +233,7 @@ def feedback_reply(item_id: int):
 
 @main_bp.route("/feedback/<int:item_id>/vote", methods=["POST"])
 @login_required
-@roles_required("admin", "operator", "viewer")
+@roles_required("admin", "operator", "reporter", "viewer")
 def feedback_vote(item_id: int):
     item = FeedbackItem.query.get_or_404(item_id)
     if item.deleted_at is not None:

containers/backupchecks/src/templates/layout/base.html

@@ -68,6 +68,17 @@
         <div class="collapse navbar-collapse" id="navbarNav">
           {% if current_user.is_authenticated %}
           <ul class="navbar-nav me-auto mb-2 mb-lg-0">
+            {% if active_role == 'reporter' %}
+            <li class="nav-item">
+              <a class="nav-link" href="{{ url_for('main.reports') }}">Reports</a>
+            </li>
+            <li class="nav-item">
+              <a class="nav-link" href='{{ url_for("main.changelog_page") }}'>Changelog</a>
+            </li>
+            <li class="nav-item">
+              <a class="nav-link" href="{{ url_for('main.feedback_page') }}">Feedback</a>
+            </li>
+            {% else %}
             <li class="nav-item">
               <a class="nav-link" href="{{ url_for('main.inbox') }}">Inbox</a>
             </li>
@@ -126,6 +137,7 @@
             <li class="nav-item">
               <a class="nav-link" href="{{ url_for('main.feedback_page') }}">Feedback</a>
             </li>
+            {% endif %}
           </ul>
           <span class="navbar-text me-3">
             <a class="text-decoration-none" href="{{ url_for('main.user_settings') }}">

docs/changelog.md

@@ -27,6 +27,14 @@
 - Changed the setup check from “admin user exists” to “any user exists”, so existing environments always show the login page instead of allowing a new initial admin to be created.
 - Prevented direct access to the initial setup route when at least one user is present (redirects to login).
 
+---
+
+## v20260113-05-reporter-menu-restrict
+
+- Restricted the Reporter role to only access Dashboard, Reports, Changelog, and Feedback.
+- Updated menu rendering to hide all unauthorized menu items for Reporter users.
+- Adjusted route access to ensure Feedback pages are accessible for the Reporter role.
+
 ***
 
 ## v0.1.20