feat: enable company-wide order viewing and editing
All checks were successful
Staging Build / build (push) Successful in 3m31s
All checks were successful
Staging Build / build (push) Successful in 3m31s
This commit is contained in:
@@ -26,11 +26,28 @@ export default async function MyOrdersPage() {
|
||||
const { data: { user } } = await supabase.auth.getUser()
|
||||
if (!user) redirect('/auth/login')
|
||||
|
||||
const { data: orders, error } = await supabase
|
||||
.from('orders')
|
||||
.select('*')
|
||||
.eq('user_id', user.id)
|
||||
.order('created_at', { ascending: false })
|
||||
// Get user's company_id and fetch all company orders
|
||||
const { data: dbUser } = await supabase
|
||||
.from('users')
|
||||
.select('company_id')
|
||||
.eq('id', user.id)
|
||||
.single()
|
||||
|
||||
let query = supabase.from('orders').select('*')
|
||||
|
||||
if (dbUser?.company_id) {
|
||||
const { data: companyUsers } = await supabase
|
||||
.from('users')
|
||||
.select('id')
|
||||
.eq('company_id', dbUser.company_id)
|
||||
|
||||
const userIds = (companyUsers ?? []).map(u => u.id)
|
||||
query = query.in('user_id', userIds)
|
||||
} else {
|
||||
query = query.eq('user_id', user.id)
|
||||
}
|
||||
|
||||
const { data: orders, error } = await query.order('created_at', { ascending: false })
|
||||
|
||||
return (
|
||||
<div className="min-h-screen bg-[#020617] text-white px-4 py-12">
|
||||
|
||||
@@ -508,9 +508,21 @@ export async function updateOrder(
|
||||
.single()
|
||||
|
||||
const isAdmin = dbUser?.role === 'admin'
|
||||
const isOwner = existingOrder.user_id === user.id
|
||||
let isAuthorized = existingOrder.user_id === user.id
|
||||
|
||||
if (!isAdmin && !isOwner) {
|
||||
if (!isAuthorized && dbUser?.company_id && existingOrder.user_id) {
|
||||
const { data: creatorUser } = await admin
|
||||
.from('users')
|
||||
.select('company_id')
|
||||
.eq('id', existingOrder.user_id)
|
||||
.single()
|
||||
|
||||
if (creatorUser?.company_id === dbUser.company_id) {
|
||||
isAuthorized = true
|
||||
}
|
||||
}
|
||||
|
||||
if (!isAdmin && !isAuthorized) {
|
||||
throw new Error('Keine Berechtigung dieses Anfrage zu bearbeiten.')
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,34 @@
|
||||
-- Migration: Update orders RLS policies to allow company-wide select and update access
|
||||
|
||||
-- 1. Drop existing policies
|
||||
DROP POLICY IF EXISTS "Users can view their own orders" ON public.orders;
|
||||
DROP POLICY IF EXISTS "Users can update their own orders" ON public.orders;
|
||||
|
||||
-- 2. Create updated SELECT policy
|
||||
CREATE POLICY "Users can view their own orders" ON public.orders FOR SELECT USING (
|
||||
(SELECT role FROM public.users WHERE id = auth.uid()) = 'admin'
|
||||
OR (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.users u1
|
||||
JOIN public.users u2 ON u1.company_id = u2.company_id
|
||||
WHERE u1.id = orders.user_id AND u2.id = auth.uid() AND u1.company_id IS NOT NULL
|
||||
)
|
||||
)
|
||||
OR auth.uid() = user_id
|
||||
);
|
||||
|
||||
-- 3. Create updated UPDATE policy
|
||||
CREATE POLICY "Users can update their own orders" ON public.orders FOR UPDATE USING (
|
||||
(SELECT role FROM public.users WHERE id = auth.uid()) = 'admin'
|
||||
OR (
|
||||
EXISTS (
|
||||
SELECT 1 FROM public.users u1
|
||||
JOIN public.users u2 ON u1.company_id = u2.company_id
|
||||
WHERE u1.id = orders.user_id AND u2.id = auth.uid() AND u1.company_id IS NOT NULL
|
||||
)
|
||||
)
|
||||
OR auth.uid() = user_id
|
||||
);
|
||||
|
||||
-- Reload Schema Cache
|
||||
NOTIFY pgrst, 'reload schema';
|
||||
Reference in New Issue
Block a user