feat: enable company-wide order viewing and editing
All checks were successful
Staging Build / build (push) Successful in 3m31s
All checks were successful
Staging Build / build (push) Successful in 3m31s
This commit is contained in:
@@ -26,11 +26,28 @@ export default async function MyOrdersPage() {
|
|||||||
const { data: { user } } = await supabase.auth.getUser()
|
const { data: { user } } = await supabase.auth.getUser()
|
||||||
if (!user) redirect('/auth/login')
|
if (!user) redirect('/auth/login')
|
||||||
|
|
||||||
const { data: orders, error } = await supabase
|
// Get user's company_id and fetch all company orders
|
||||||
.from('orders')
|
const { data: dbUser } = await supabase
|
||||||
.select('*')
|
.from('users')
|
||||||
.eq('user_id', user.id)
|
.select('company_id')
|
||||||
.order('created_at', { ascending: false })
|
.eq('id', user.id)
|
||||||
|
.single()
|
||||||
|
|
||||||
|
let query = supabase.from('orders').select('*')
|
||||||
|
|
||||||
|
if (dbUser?.company_id) {
|
||||||
|
const { data: companyUsers } = await supabase
|
||||||
|
.from('users')
|
||||||
|
.select('id')
|
||||||
|
.eq('company_id', dbUser.company_id)
|
||||||
|
|
||||||
|
const userIds = (companyUsers ?? []).map(u => u.id)
|
||||||
|
query = query.in('user_id', userIds)
|
||||||
|
} else {
|
||||||
|
query = query.eq('user_id', user.id)
|
||||||
|
}
|
||||||
|
|
||||||
|
const { data: orders, error } = await query.order('created_at', { ascending: false })
|
||||||
|
|
||||||
return (
|
return (
|
||||||
<div className="min-h-screen bg-[#020617] text-white px-4 py-12">
|
<div className="min-h-screen bg-[#020617] text-white px-4 py-12">
|
||||||
|
|||||||
@@ -508,9 +508,21 @@ export async function updateOrder(
|
|||||||
.single()
|
.single()
|
||||||
|
|
||||||
const isAdmin = dbUser?.role === 'admin'
|
const isAdmin = dbUser?.role === 'admin'
|
||||||
const isOwner = existingOrder.user_id === user.id
|
let isAuthorized = existingOrder.user_id === user.id
|
||||||
|
|
||||||
if (!isAdmin && !isOwner) {
|
if (!isAuthorized && dbUser?.company_id && existingOrder.user_id) {
|
||||||
|
const { data: creatorUser } = await admin
|
||||||
|
.from('users')
|
||||||
|
.select('company_id')
|
||||||
|
.eq('id', existingOrder.user_id)
|
||||||
|
.single()
|
||||||
|
|
||||||
|
if (creatorUser?.company_id === dbUser.company_id) {
|
||||||
|
isAuthorized = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!isAdmin && !isAuthorized) {
|
||||||
throw new Error('Keine Berechtigung dieses Anfrage zu bearbeiten.')
|
throw new Error('Keine Berechtigung dieses Anfrage zu bearbeiten.')
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,34 @@
|
|||||||
|
-- Migration: Update orders RLS policies to allow company-wide select and update access
|
||||||
|
|
||||||
|
-- 1. Drop existing policies
|
||||||
|
DROP POLICY IF EXISTS "Users can view their own orders" ON public.orders;
|
||||||
|
DROP POLICY IF EXISTS "Users can update their own orders" ON public.orders;
|
||||||
|
|
||||||
|
-- 2. Create updated SELECT policy
|
||||||
|
CREATE POLICY "Users can view their own orders" ON public.orders FOR SELECT USING (
|
||||||
|
(SELECT role FROM public.users WHERE id = auth.uid()) = 'admin'
|
||||||
|
OR (
|
||||||
|
EXISTS (
|
||||||
|
SELECT 1 FROM public.users u1
|
||||||
|
JOIN public.users u2 ON u1.company_id = u2.company_id
|
||||||
|
WHERE u1.id = orders.user_id AND u2.id = auth.uid() AND u1.company_id IS NOT NULL
|
||||||
|
)
|
||||||
|
)
|
||||||
|
OR auth.uid() = user_id
|
||||||
|
);
|
||||||
|
|
||||||
|
-- 3. Create updated UPDATE policy
|
||||||
|
CREATE POLICY "Users can update their own orders" ON public.orders FOR UPDATE USING (
|
||||||
|
(SELECT role FROM public.users WHERE id = auth.uid()) = 'admin'
|
||||||
|
OR (
|
||||||
|
EXISTS (
|
||||||
|
SELECT 1 FROM public.users u1
|
||||||
|
JOIN public.users u2 ON u1.company_id = u2.company_id
|
||||||
|
WHERE u1.id = orders.user_id AND u2.id = auth.uid() AND u1.company_id IS NOT NULL
|
||||||
|
)
|
||||||
|
)
|
||||||
|
OR auth.uid() = user_id
|
||||||
|
);
|
||||||
|
|
||||||
|
-- Reload Schema Cache
|
||||||
|
NOTIFY pgrst, 'reload schema';
|
||||||
Reference in New Issue
Block a user