fix: permissions not restricted for certain management pages / actions (#1219)

* fix: restrict parts of manage navigation to admins

* fix: restrict stats cards on manage home page

* fix: restrict access to amount of certain stats for manage home

* fix: restrict visibility of board create button

* fix: restrict access to integration pages

* fix: restrict access to tools pages for admins

* fix: restrict access to user and group pages

* test: adjust tests to match permission changes for routes

* fix: remove certain pages from spotlight without admin

* fix: app management not restricted

packages/api/src/router/cron-jobs.ts

@@ -6,20 +6,23 @@ import { createCronJobStatusChannel } from "@homarr/cron-job-status";
 import { jobGroup } from "@homarr/cron-jobs";
 import { logger } from "@homarr/log";
 
-import { createTRPCRouter, publicProcedure } from "../trpc";
+import { createTRPCRouter, permissionRequiredProcedure } from "../trpc";
 
 export const cronJobsRouter = createTRPCRouter({
-  triggerJob: publicProcedure.input(jobNameSchema).mutation(async ({ input }) => {
-    await triggerCronJobAsync(input);
-  }),
-  getJobs: publicProcedure.query(() => {
+  triggerJob: permissionRequiredProcedure
+    .requiresPermission("admin")
+    .input(jobNameSchema)
+    .mutation(async ({ input }) => {
+      await triggerCronJobAsync(input);
+    }),
+  getJobs: permissionRequiredProcedure.requiresPermission("admin").query(() => {
     const registry = jobGroup.getJobRegistry();
     return [...registry.values()].map((job) => ({
       name: job.name,
       expression: job.cronExpression,
     }));
   }),
-  subscribeToStatusUpdates: publicProcedure.subscription(() => {
+  subscribeToStatusUpdates: permissionRequiredProcedure.requiresPermission("admin").subscription(() => {
     return observable<TaskStatus>((emit) => {
       const unsubscribes: (() => void)[] = [];