2be0e90f19
Some checks failed
ParentFlow CI/CD Pipeline / Backend Tests (push) Has been cancelled
ParentFlow CI/CD Pipeline / Frontend Tests (push) Has been cancelled
ParentFlow CI/CD Pipeline / Security Scanning (push) Has been cancelled
ParentFlow CI/CD Pipeline / Build Docker Images (map[context:maternal-app/maternal-app-backend dockerfile:Dockerfile.production name:backend]) (push) Has been cancelled
ParentFlow CI/CD Pipeline / Build Docker Images (map[context:maternal-web dockerfile:Dockerfile.production name:frontend]) (push) Has been cancelled
ParentFlow CI/CD Pipeline / Deploy to Development (push) Has been cancelled
ParentFlow CI/CD Pipeline / Deploy to Production (push) Has been cancelled
CI/CD Pipeline / Build Application (push) Has been cancelled
CI/CD Pipeline / Lint and Test (push) Has been cancelled
CI/CD Pipeline / E2E Tests (push) Has been cancelled
Fixed critical permission bypass where viewers could: - Remove family members (now only parents can) - Invite new members (now only parents can) - Generate share codes (now only parents can) - Add children (now only parents can) - Edit children (now only parents and caregivers can) - Delete children (now only parents can) Changes: - Family page: Added isParent checks for all admin actions - Children page: Added canAddChildren, canEditChildren, canDeleteChildren checks - Both pages now use useSelectedFamily hook for consistent role access Backend already had correct permission checks - this fixes the frontend to respect them. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>