diff --git a/shop/lib/actions/end-customers.ts b/shop/lib/actions/end-customers.ts index 5b10828..06728ba 100644 --- a/shop/lib/actions/end-customers.ts +++ b/shop/lib/actions/end-customers.ts @@ -74,26 +74,32 @@ export async function getEndCustomer(id: string): Promise { * Legt einen neuen Endkunden für den eingeloggten Partner an. * partner_id wird serverseitig aus der Session gesetzt (kein Client-Trust). */ -export async function createEndCustomer(formData: EndCustomerFormData): Promise { +export async function createEndCustomer(formData: EndCustomerFormData, companyId?: string): Promise { const supabase = await createClient() const { data: { user } } = await supabase.auth.getUser() if (!user) throw new Error('Not authenticated') - const { data: dbUser, error: dbUserError } = await supabase + const { data: dbUser } = await supabase .from('users') - .select('company_id') + .select('role, company_id') .eq('id', user.id) .single() - if (dbUserError || !dbUser || !dbUser.company_id) { + const isAdmin = dbUser?.role === 'admin' + const resolvedCompanyId = dbUser?.company_id || companyId + + if (!isAdmin && !resolvedCompanyId) { throw new Error('Kein Unternehmen zugewiesen.') } - const { data, error } = await supabase + // Admin ohne company_id braucht adminClient (RLS erlaubt kein INSERT ohne passende partner_id) + const client = (!dbUser?.company_id && isAdmin) ? createAdminClient() : supabase + + const { data, error } = await client .from('end_customers') .insert([{ - partner_id: dbUser.company_id, + partner_id: resolvedCompanyId || user.id, company_name: formData.company_name, vat_id: formData.vat_id || null, first_name: formData.first_name || null,