Role-based access control enforcement hardening
FixedFixed in v3.19.0 · 2026-06-07
We closed gaps where some authorization checks weren't consistently enforced: certain entity-write actions and the Settings area could be reached by roles that shouldn't have had access. Role permissions are now enforced on entity writes, Settings is restricted to administrators and managers, and the Manager system role was completed so role names resolve correctly. No abuse was observed; this tightens least-privilege enforcement across the admin application.