From 32c2842dbd04071aae4e5f7b35e73b985f099f7e Mon Sep 17 00:00:00 2001 From: DanielS Date: Sat, 4 Jul 2026 15:41:48 +0200 Subject: [PATCH] feat: enable company-wide order viewing and editing --- shop/app/my-orders/page.tsx | 27 ++++++++++++--- shop/lib/actions/orders.ts | 16 +++++++-- ...260704154500_update_orders_rls_company.sql | 34 +++++++++++++++++++ 3 files changed, 70 insertions(+), 7 deletions(-) create mode 100644 shop/supabase/migrations/20260704154500_update_orders_rls_company.sql diff --git a/shop/app/my-orders/page.tsx b/shop/app/my-orders/page.tsx index 46cd26a..077d54f 100644 --- a/shop/app/my-orders/page.tsx +++ b/shop/app/my-orders/page.tsx @@ -26,11 +26,28 @@ export default async function MyOrdersPage() { const { data: { user } } = await supabase.auth.getUser() if (!user) redirect('/auth/login') - const { data: orders, error } = await supabase - .from('orders') - .select('*') - .eq('user_id', user.id) - .order('created_at', { ascending: false }) + // Get user's company_id and fetch all company orders + const { data: dbUser } = await supabase + .from('users') + .select('company_id') + .eq('id', user.id) + .single() + + let query = supabase.from('orders').select('*') + + if (dbUser?.company_id) { + const { data: companyUsers } = await supabase + .from('users') + .select('id') + .eq('company_id', dbUser.company_id) + + const userIds = (companyUsers ?? []).map(u => u.id) + query = query.in('user_id', userIds) + } else { + query = query.eq('user_id', user.id) + } + + const { data: orders, error } = await query.order('created_at', { ascending: false }) return (
diff --git a/shop/lib/actions/orders.ts b/shop/lib/actions/orders.ts index 828bc9d..00fd8a7 100644 --- a/shop/lib/actions/orders.ts +++ b/shop/lib/actions/orders.ts @@ -508,9 +508,21 @@ export async function updateOrder( .single() const isAdmin = dbUser?.role === 'admin' - const isOwner = existingOrder.user_id === user.id + let isAuthorized = existingOrder.user_id === user.id - if (!isAdmin && !isOwner) { + if (!isAuthorized && dbUser?.company_id && existingOrder.user_id) { + const { data: creatorUser } = await admin + .from('users') + .select('company_id') + .eq('id', existingOrder.user_id) + .single() + + if (creatorUser?.company_id === dbUser.company_id) { + isAuthorized = true + } + } + + if (!isAdmin && !isAuthorized) { throw new Error('Keine Berechtigung dieses Anfrage zu bearbeiten.') } diff --git a/shop/supabase/migrations/20260704154500_update_orders_rls_company.sql b/shop/supabase/migrations/20260704154500_update_orders_rls_company.sql new file mode 100644 index 0000000..9d84c72 --- /dev/null +++ b/shop/supabase/migrations/20260704154500_update_orders_rls_company.sql @@ -0,0 +1,34 @@ +-- Migration: Update orders RLS policies to allow company-wide select and update access + +-- 1. Drop existing policies +DROP POLICY IF EXISTS "Users can view their own orders" ON public.orders; +DROP POLICY IF EXISTS "Users can update their own orders" ON public.orders; + +-- 2. Create updated SELECT policy +CREATE POLICY "Users can view their own orders" ON public.orders FOR SELECT USING ( + (SELECT role FROM public.users WHERE id = auth.uid()) = 'admin' + OR ( + EXISTS ( + SELECT 1 FROM public.users u1 + JOIN public.users u2 ON u1.company_id = u2.company_id + WHERE u1.id = orders.user_id AND u2.id = auth.uid() AND u1.company_id IS NOT NULL + ) + ) + OR auth.uid() = user_id +); + +-- 3. Create updated UPDATE policy +CREATE POLICY "Users can update their own orders" ON public.orders FOR UPDATE USING ( + (SELECT role FROM public.users WHERE id = auth.uid()) = 'admin' + OR ( + EXISTS ( + SELECT 1 FROM public.users u1 + JOIN public.users u2 ON u1.company_id = u2.company_id + WHERE u1.id = orders.user_id AND u2.id = auth.uid() AND u1.company_id IS NOT NULL + ) + ) + OR auth.uid() = user_id +); + +-- Reload Schema Cache +NOTIFY pgrst, 'reload schema';