feat: enforce company authorization on order details and success pages
All checks were successful
Staging Build / build (push) Successful in 3m45s

This commit is contained in:
DanielS
2026-07-04 16:44:53 +02:00
parent 9c50ea8368
commit 6a0e882cc9
2 changed files with 19 additions and 3 deletions

View File

@@ -78,7 +78,8 @@ async function OrderDataWrapper({ orderId }: { orderId?: string }) {
const isAdmin = userData?.role === 'admin'
const isOwner = orderData.user_id === user.id
if (!isAdmin && !isOwner) {
const isCompanyMember = userData?.company_id && orderData.company_id === userData.company_id
if (!isAdmin && !isOwner && !isCompanyMember) {
redirect('/order')
}

View File

@@ -23,16 +23,31 @@ export default async function OrderSuccessPage({
const { data: { user } } = await supabase.auth.getUser()
if (!user) redirect('/auth/login')
// Bestellung laden und prüfen ob sie dem eingeloggten User gehört
// 1. Hole Benutzerrolle und Company
const { data: dbUser } = await supabase
.from('users')
.select('role, company_id')
.eq('id', user.id)
.single()
// 2. Hole Bestellung
const { data: order, error } = await supabase
.from('orders')
.select('*')
.eq('id', id)
.eq('user_id', user.id)
.single()
if (error || !order) redirect('/')
// Berechtigung prüfen
const isAdmin = dbUser?.role === 'admin'
const isOwner = order.user_id === user.id
const isCompanyMember = dbUser?.company_id && order.company_id === dbUser.company_id
if (!isAdmin && !isOwner && !isCompanyMember) {
redirect('/')
}
const o = order as Order
const items = o.order_data?.items ?? []