feat: restrict order creation to users assigned to a company
All checks were successful
Staging Build / build (push) Successful in 3m31s

This commit is contained in:
DanielS
2026-07-04 15:33:44 +02:00
parent 5f65f890ee
commit 149eae59c9
2 changed files with 34 additions and 3 deletions

View File

@@ -66,6 +66,18 @@ export async function submitOrder(params: {
const { data: { user } } = await supabase.auth.getUser()
if (!user) throw new Error('Not authenticated')
// Check if user is assigned to a company or is admin
const { data: dbUser } = await supabase
.from('users')
.select('role, company_id')
.eq('id', user.id)
.single()
const isAdminUser = dbUser?.role === 'admin'
if (!isAdminUser && !dbUser?.company_id) {
throw new Error('Sie müssen einer Firma zugewiesen sein, um eine Anfrage zu erstellen.')
}
// Fetch catalog directly from DB to prevent client tampering
const dbProducts = await getProducts()
const dbCategories = await getCategories()
@@ -491,7 +503,7 @@ export async function updateOrder(
const { data: dbUser } = await admin
.from('users')
.select('role')
.select('role, company_id')
.eq('id', user.id)
.single()
@@ -502,6 +514,10 @@ export async function updateOrder(
throw new Error('Keine Berechtigung dieses Anfrage zu bearbeiten.')
}
if (!isAdmin && !dbUser?.company_id) {
throw new Error('Sie müssen einer Firma zugewiesen sein, um diese Anfrage zu bearbeiten.')
}
if (existingOrder.status === 'completed' && !isAdmin) {
throw new Error('Abgeschlossene Anfragen können nicht mehr bearbeitet werden.')
}