diff --git a/shop/app/my-orders/page.tsx b/shop/app/my-orders/page.tsx
index 46cd26a..077d54f 100644
--- a/shop/app/my-orders/page.tsx
+++ b/shop/app/my-orders/page.tsx
@@ -26,11 +26,28 @@ export default async function MyOrdersPage() {
const { data: { user } } = await supabase.auth.getUser()
if (!user) redirect('/auth/login')
- const { data: orders, error } = await supabase
- .from('orders')
- .select('*')
- .eq('user_id', user.id)
- .order('created_at', { ascending: false })
+ // Get user's company_id and fetch all company orders
+ const { data: dbUser } = await supabase
+ .from('users')
+ .select('company_id')
+ .eq('id', user.id)
+ .single()
+
+ let query = supabase.from('orders').select('*')
+
+ if (dbUser?.company_id) {
+ const { data: companyUsers } = await supabase
+ .from('users')
+ .select('id')
+ .eq('company_id', dbUser.company_id)
+
+ const userIds = (companyUsers ?? []).map(u => u.id)
+ query = query.in('user_id', userIds)
+ } else {
+ query = query.eq('user_id', user.id)
+ }
+
+ const { data: orders, error } = await query.order('created_at', { ascending: false })
return (
diff --git a/shop/lib/actions/orders.ts b/shop/lib/actions/orders.ts
index 828bc9d..00fd8a7 100644
--- a/shop/lib/actions/orders.ts
+++ b/shop/lib/actions/orders.ts
@@ -508,9 +508,21 @@ export async function updateOrder(
.single()
const isAdmin = dbUser?.role === 'admin'
- const isOwner = existingOrder.user_id === user.id
+ let isAuthorized = existingOrder.user_id === user.id
- if (!isAdmin && !isOwner) {
+ if (!isAuthorized && dbUser?.company_id && existingOrder.user_id) {
+ const { data: creatorUser } = await admin
+ .from('users')
+ .select('company_id')
+ .eq('id', existingOrder.user_id)
+ .single()
+
+ if (creatorUser?.company_id === dbUser.company_id) {
+ isAuthorized = true
+ }
+ }
+
+ if (!isAdmin && !isAuthorized) {
throw new Error('Keine Berechtigung dieses Anfrage zu bearbeiten.')
}
diff --git a/shop/supabase/migrations/20260704154500_update_orders_rls_company.sql b/shop/supabase/migrations/20260704154500_update_orders_rls_company.sql
new file mode 100644
index 0000000..9d84c72
--- /dev/null
+++ b/shop/supabase/migrations/20260704154500_update_orders_rls_company.sql
@@ -0,0 +1,34 @@
+-- Migration: Update orders RLS policies to allow company-wide select and update access
+
+-- 1. Drop existing policies
+DROP POLICY IF EXISTS "Users can view their own orders" ON public.orders;
+DROP POLICY IF EXISTS "Users can update their own orders" ON public.orders;
+
+-- 2. Create updated SELECT policy
+CREATE POLICY "Users can view their own orders" ON public.orders FOR SELECT USING (
+ (SELECT role FROM public.users WHERE id = auth.uid()) = 'admin'
+ OR (
+ EXISTS (
+ SELECT 1 FROM public.users u1
+ JOIN public.users u2 ON u1.company_id = u2.company_id
+ WHERE u1.id = orders.user_id AND u2.id = auth.uid() AND u1.company_id IS NOT NULL
+ )
+ )
+ OR auth.uid() = user_id
+);
+
+-- 3. Create updated UPDATE policy
+CREATE POLICY "Users can update their own orders" ON public.orders FOR UPDATE USING (
+ (SELECT role FROM public.users WHERE id = auth.uid()) = 'admin'
+ OR (
+ EXISTS (
+ SELECT 1 FROM public.users u1
+ JOIN public.users u2 ON u1.company_id = u2.company_id
+ WHERE u1.id = orders.user_id AND u2.id = auth.uid() AND u1.company_id IS NOT NULL
+ )
+ )
+ OR auth.uid() = user_id
+);
+
+-- Reload Schema Cache
+NOTIFY pgrst, 'reload schema';