feat: restrict order creation to users assigned to a company
All checks were successful
Staging Build / build (push) Successful in 3m31s
All checks were successful
Staging Build / build (push) Successful in 3m31s
This commit is contained in:
@@ -40,13 +40,28 @@ async function OrderDataWrapper({ orderId }: { orderId?: string }) {
|
||||
redirect(`/auth/login?next=/order${orderId ? `?id=${orderId}` : ''}`)
|
||||
}
|
||||
|
||||
// Check user role
|
||||
// Check user role and company
|
||||
const { data: userData } = await supabase
|
||||
.from('users')
|
||||
.select('role')
|
||||
.select('role, company_id')
|
||||
.eq('id', user.id)
|
||||
.single()
|
||||
|
||||
const isAdmin = userData?.role === 'admin'
|
||||
const hasCompany = !!userData?.company_id
|
||||
|
||||
if (!isAdmin && !hasCompany) {
|
||||
return (
|
||||
<div className="max-w-md mx-auto mt-12 p-6 bg-red-500/10 border border-red-500/20 rounded-2xl text-center space-y-4">
|
||||
<h2 className="text-xl font-bold text-red-400">Kein Unternehmen zugewiesen</h2>
|
||||
<p className="text-slate-400 text-sm">
|
||||
Sie müssen einem Unternehmen zugewiesen sein, um Anfragen erstellen zu können.
|
||||
Bitte wenden Sie sich an den Administrator.
|
||||
</p>
|
||||
</div>
|
||||
)
|
||||
}
|
||||
|
||||
let initialOrder = null
|
||||
if (orderId) {
|
||||
const adminClient = createAdminClient()
|
||||
|
||||
@@ -66,6 +66,18 @@ export async function submitOrder(params: {
|
||||
const { data: { user } } = await supabase.auth.getUser()
|
||||
if (!user) throw new Error('Not authenticated')
|
||||
|
||||
// Check if user is assigned to a company or is admin
|
||||
const { data: dbUser } = await supabase
|
||||
.from('users')
|
||||
.select('role, company_id')
|
||||
.eq('id', user.id)
|
||||
.single()
|
||||
|
||||
const isAdminUser = dbUser?.role === 'admin'
|
||||
if (!isAdminUser && !dbUser?.company_id) {
|
||||
throw new Error('Sie müssen einer Firma zugewiesen sein, um eine Anfrage zu erstellen.')
|
||||
}
|
||||
|
||||
// Fetch catalog directly from DB to prevent client tampering
|
||||
const dbProducts = await getProducts()
|
||||
const dbCategories = await getCategories()
|
||||
@@ -491,7 +503,7 @@ export async function updateOrder(
|
||||
|
||||
const { data: dbUser } = await admin
|
||||
.from('users')
|
||||
.select('role')
|
||||
.select('role, company_id')
|
||||
.eq('id', user.id)
|
||||
.single()
|
||||
|
||||
@@ -502,6 +514,10 @@ export async function updateOrder(
|
||||
throw new Error('Keine Berechtigung dieses Anfrage zu bearbeiten.')
|
||||
}
|
||||
|
||||
if (!isAdmin && !dbUser?.company_id) {
|
||||
throw new Error('Sie müssen einer Firma zugewiesen sein, um diese Anfrage zu bearbeiten.')
|
||||
}
|
||||
|
||||
if (existingOrder.status === 'completed' && !isAdmin) {
|
||||
throw new Error('Abgeschlossene Anfragen können nicht mehr bearbeitet werden.')
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user