From 3848eb939a484eaa7af62efc264b0a91867de084 Mon Sep 17 00:00:00 2001
From: ajdj100 <ajairplane@gmail.com>
Date: Mon, 22 Dec 2025 21:36:10 -0500
Subject: [PATCH] Tweaked LOA API RBAC to allow full command group access

---
 api/src/routes/loa.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/api/src/routes/loa.ts b/api/src/routes/loa.ts
index de218c6..65aa115 100644
--- a/api/src/routes/loa.ts
+++ b/api/src/routes/loa.ts
@@ -26,7 +26,7 @@ router.post("/", async (req: Request, res: Response) => {
 });
 
 //admin posts LOA
-router.post("/admin", [requireRole("17th Administrator")], async (req: Request, res: Response) => {
+router.post("/admin", [requireRole(['17th Administrator', '17th HQ', '17th Command'])], async (req: Request, res: Response) => {
     let LOARequest = req.body as LOARequest;
     LOARequest.created_by = req.user.id;
     LOARequest.filed_date = new Date();
@@ -67,7 +67,7 @@ router.get("/history", async (req: Request, res: Response) => {
     }
 })
 
-router.get('/all', [requireRole("17th Administrator")], async (req: Request, res: Response) => {
+router.get('/all', [requireRole(['17th Administrator', '17th HQ', '17th Command'])], async (req: Request, res: Response) => {
     try {
         const page = Number(req.query.page) || undefined;
         const pageSize = Number(req.query.pageSize) || undefined;
@@ -107,7 +107,7 @@ router.post('/cancel/:id', async (req: Request, res: Response) => {
 })
 
 //TODO: enforce admin only
-router.post('/adminCancel/:id', [requireRole("17th Administrator")], async (req: Request, res: Response) => {
+router.post('/adminCancel/:id', [requireRole(['17th Administrator', '17th HQ', '17th Command'])], async (req: Request, res: Response) => {
     let closer = req.user.id;
     try {
         await closeLOA(Number(req.params.id), closer);
@@ -119,7 +119,7 @@ router.post('/adminCancel/:id', [requireRole("17th Administrator")], async (req:
 })
 
 // TODO: Enforce admin only
-router.post('/extend/:id', [requireRole("17th Administrator")], async (req: Request, res: Response) => {
+router.post('/extend/:id', [requireRole(['17th Administrator', '17th HQ', '17th Command'])], async (req: Request, res: Response) => {
     const to: Date = req.body.to;
 
     if (!to) {