From 149eae59c9b1c324270ecab628769b935148de13 Mon Sep 17 00:00:00 2001 From: DanielS Date: Sat, 4 Jul 2026 15:33:44 +0200 Subject: [PATCH] feat: restrict order creation to users assigned to a company --- shop/app/order/page.tsx | 19 +++++++++++++++++-- shop/lib/actions/orders.ts | 18 +++++++++++++++++- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/shop/app/order/page.tsx b/shop/app/order/page.tsx index 90f3c39..733d542 100644 --- a/shop/app/order/page.tsx +++ b/shop/app/order/page.tsx @@ -40,13 +40,28 @@ async function OrderDataWrapper({ orderId }: { orderId?: string }) { redirect(`/auth/login?next=/order${orderId ? `?id=${orderId}` : ''}`) } - // Check user role + // Check user role and company const { data: userData } = await supabase .from('users') - .select('role') + .select('role, company_id') .eq('id', user.id) .single() + const isAdmin = userData?.role === 'admin' + const hasCompany = !!userData?.company_id + + if (!isAdmin && !hasCompany) { + return ( +
+

Kein Unternehmen zugewiesen

+

+ Sie müssen einem Unternehmen zugewiesen sein, um Anfragen erstellen zu können. + Bitte wenden Sie sich an den Administrator. +

+
+ ) + } + let initialOrder = null if (orderId) { const adminClient = createAdminClient() diff --git a/shop/lib/actions/orders.ts b/shop/lib/actions/orders.ts index 0007d4d..828bc9d 100644 --- a/shop/lib/actions/orders.ts +++ b/shop/lib/actions/orders.ts @@ -66,6 +66,18 @@ export async function submitOrder(params: { const { data: { user } } = await supabase.auth.getUser() if (!user) throw new Error('Not authenticated') + // Check if user is assigned to a company or is admin + const { data: dbUser } = await supabase + .from('users') + .select('role, company_id') + .eq('id', user.id) + .single() + + const isAdminUser = dbUser?.role === 'admin' + if (!isAdminUser && !dbUser?.company_id) { + throw new Error('Sie müssen einer Firma zugewiesen sein, um eine Anfrage zu erstellen.') + } + // Fetch catalog directly from DB to prevent client tampering const dbProducts = await getProducts() const dbCategories = await getCategories() @@ -491,7 +503,7 @@ export async function updateOrder( const { data: dbUser } = await admin .from('users') - .select('role') + .select('role, company_id') .eq('id', user.id) .single() @@ -502,6 +514,10 @@ export async function updateOrder( throw new Error('Keine Berechtigung dieses Anfrage zu bearbeiten.') } + if (!isAdmin && !dbUser?.company_id) { + throw new Error('Sie müssen einer Firma zugewiesen sein, um diese Anfrage zu bearbeiten.') + } + if (existingOrder.status === 'completed' && !isAdmin) { throw new Error('Abgeschlossene Anfragen können nicht mehr bearbeitet werden.') }