feat: enable company-wide order viewing and editing
All checks were successful
Staging Build / build (push) Successful in 3m31s

This commit is contained in:
DanielS
2026-07-04 15:41:48 +02:00
parent 149eae59c9
commit 32c2842dbd
3 changed files with 70 additions and 7 deletions

View File

@@ -26,11 +26,28 @@ export default async function MyOrdersPage() {
const { data: { user } } = await supabase.auth.getUser()
if (!user) redirect('/auth/login')
const { data: orders, error } = await supabase
.from('orders')
.select('*')
.eq('user_id', user.id)
.order('created_at', { ascending: false })
// Get user's company_id and fetch all company orders
const { data: dbUser } = await supabase
.from('users')
.select('company_id')
.eq('id', user.id)
.single()
let query = supabase.from('orders').select('*')
if (dbUser?.company_id) {
const { data: companyUsers } = await supabase
.from('users')
.select('id')
.eq('company_id', dbUser.company_id)
const userIds = (companyUsers ?? []).map(u => u.id)
query = query.in('user_id', userIds)
} else {
query = query.eq('user_id', user.id)
}
const { data: orders, error } = await query.order('created_at', { ascending: false })
return (
<div className="min-h-screen bg-[#020617] text-white px-4 py-12">

View File

@@ -508,9 +508,21 @@ export async function updateOrder(
.single()
const isAdmin = dbUser?.role === 'admin'
const isOwner = existingOrder.user_id === user.id
let isAuthorized = existingOrder.user_id === user.id
if (!isAdmin && !isOwner) {
if (!isAuthorized && dbUser?.company_id && existingOrder.user_id) {
const { data: creatorUser } = await admin
.from('users')
.select('company_id')
.eq('id', existingOrder.user_id)
.single()
if (creatorUser?.company_id === dbUser.company_id) {
isAuthorized = true
}
}
if (!isAdmin && !isAuthorized) {
throw new Error('Keine Berechtigung dieses Anfrage zu bearbeiten.')
}

View File

@@ -0,0 +1,34 @@
-- Migration: Update orders RLS policies to allow company-wide select and update access
-- 1. Drop existing policies
DROP POLICY IF EXISTS "Users can view their own orders" ON public.orders;
DROP POLICY IF EXISTS "Users can update their own orders" ON public.orders;
-- 2. Create updated SELECT policy
CREATE POLICY "Users can view their own orders" ON public.orders FOR SELECT USING (
(SELECT role FROM public.users WHERE id = auth.uid()) = 'admin'
OR (
EXISTS (
SELECT 1 FROM public.users u1
JOIN public.users u2 ON u1.company_id = u2.company_id
WHERE u1.id = orders.user_id AND u2.id = auth.uid() AND u1.company_id IS NOT NULL
)
)
OR auth.uid() = user_id
);
-- 3. Create updated UPDATE policy
CREATE POLICY "Users can update their own orders" ON public.orders FOR UPDATE USING (
(SELECT role FROM public.users WHERE id = auth.uid()) = 'admin'
OR (
EXISTS (
SELECT 1 FROM public.users u1
JOIN public.users u2 ON u1.company_id = u2.company_id
WHERE u1.id = orders.user_id AND u2.id = auth.uid() AND u1.company_id IS NOT NULL
)
)
OR auth.uid() = user_id
);
-- Reload Schema Cache
NOTIFY pgrst, 'reload schema';