fix: query orders using admin client in admin routes to bypass RLS and show all orders to admin
All checks were successful
Staging Build / build (push) Successful in 3m24s

This commit is contained in:
DanielS
2026-06-25 23:30:29 +02:00
parent 45fb87d589
commit da7bd91b6f
3 changed files with 24 additions and 8 deletions

View File

@@ -1,11 +1,12 @@
import { createClient } from '@/lib/supabase/server'
import { createAdminClient } from '@/lib/supabase/admin'
import { NextResponse } from 'next/server'
/**
* GET /api/admin/recent-orders
* Gibt die letzten 10 Bestellungen und Umsatzdaten der letzten 6 Monate zurück.
* Wird vom Admin-Dashboard alle 30 Sekunden gepollt.
* Zugriff nur für authentifizierte User (Supabase Session).
* Zugriff nur für authentifizierte User mit Admin-Rolle (bypasses RLS).
*/
export async function GET() {
const supabase = await createClient()
@@ -16,8 +17,21 @@ export async function GET() {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
// Admin-Rolle prüfen
const { data: userData } = await supabase
.from('users')
.select('role')
.eq('id', user.id)
.single()
if (!userData || userData.role !== 'admin') {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
const adminDb = createAdminClient()
// 1. Letzte 10 Bestellungen laden
const { data: orders, error } = await supabase
const { data: orders, error } = await adminDb
.from('orders')
.select('id, order_number, created_at, total_price, status, customer_data')
.order('created_at', { ascending: false })
@@ -33,7 +47,7 @@ export async function GET() {
sixMonthsAgo.setDate(1)
sixMonthsAgo.setHours(0, 0, 0, 0)
const { data: chartOrders, error: chartError } = await supabase
const { data: chartOrders, error: chartError } = await adminDb
.from('orders')
.select('total_price, created_at')
.neq('status', 'cancelled')