diff --git a/shop/app/order/page.tsx b/shop/app/order/page.tsx index 1459014..be6e251 100644 --- a/shop/app/order/page.tsx +++ b/shop/app/order/page.tsx @@ -78,7 +78,8 @@ async function OrderDataWrapper({ orderId }: { orderId?: string }) { const isAdmin = userData?.role === 'admin' const isOwner = orderData.user_id === user.id - if (!isAdmin && !isOwner) { + const isCompanyMember = userData?.company_id && orderData.company_id === userData.company_id + if (!isAdmin && !isOwner && !isCompanyMember) { redirect('/order') } diff --git a/shop/app/order/success/page.tsx b/shop/app/order/success/page.tsx index 838a138..9356544 100644 --- a/shop/app/order/success/page.tsx +++ b/shop/app/order/success/page.tsx @@ -23,16 +23,31 @@ export default async function OrderSuccessPage({ const { data: { user } } = await supabase.auth.getUser() if (!user) redirect('/auth/login') - // Bestellung laden und prüfen ob sie dem eingeloggten User gehört + // 1. Hole Benutzerrolle und Company + const { data: dbUser } = await supabase + .from('users') + .select('role, company_id') + .eq('id', user.id) + .single() + + // 2. Hole Bestellung const { data: order, error } = await supabase .from('orders') .select('*') .eq('id', id) - .eq('user_id', user.id) .single() if (error || !order) redirect('/') + // Berechtigung prüfen + const isAdmin = dbUser?.role === 'admin' + const isOwner = order.user_id === user.id + const isCompanyMember = dbUser?.company_id && order.company_id === dbUser.company_id + + if (!isAdmin && !isOwner && !isCompanyMember) { + redirect('/') + } + const o = order as Order const items = o.order_data?.items ?? []