Jan/RFP_Finanzen
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rollen Freigaben Push und Beleg Upload ueberarbeiten
All checks were successful
CI / Build (push) Successful in 2m6s
Details
CI / Deploy (push) Successful in 2m11s
Details

Browse Source
This commit is contained in:
jan
2026-05-01 15:50:37 +02:00
parent f947908f0e
commit 549c8f16c6
34 changed files with 1354 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/app/api/audit-logs/[id]/restore/route.ts
View File

@@ -64,6 +64,24 @@ function asApprovalPermissions(value: unknown) {
);
}
function asRole(value: unknown) {
const role = asString(value, "Rolle");
switch (role) {
case "ADMIN":
case "BOARD":
return "BOARD";
case "ORGA":
return "ORGA";
case "FINANCE":
return "FINANCE";
case "MEMBER":
return "MEMBER";
default:
throw new Error("Rolle ist im Änderungsverlauf ungültig.");
}
}
export async function POST(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
@@ -73,7 +91,7 @@ export async function POST(_: Request, { params }: Context) {
}
if (!canManageUsers(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zustände zurücksetzen." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Zustände zurücksetzen." }, { status: 403 });
}
const auditLog = await prisma.auditLog.findUnique({
@@ -383,10 +401,10 @@ export async function POST(_: Request, { params }: Context) {
throw new Error("Der Nutzer hat bereits Ausgaben oder Freigaben und kann nicht automatisch entfernt werden.");
}
if (user.role === "ADMIN") {
if (user.role === "BOARD") {
const adminCount = await tx.user.count({
where: {
role: "ADMIN"
role: "BOARD"
}
});
@@ -411,7 +429,7 @@ export async function POST(_: Request, { params }: Context) {
username: asString(deleted.username, "Login-Name"),
email: asNullableString(deleted.email),
passwordHash: asString(deleted.passwordHash, "Passworthash"),
role: asString(deleted.role, "Rolle") as "ADMIN" | "FINANCE" | "MEMBER",
role: asRole(deleted.role),
approvalPreference: asNullableString(deleted.approvalPreference) as "CHAIR_A" | "CHAIR_B" | "FINANCE" | null,
approvalPermissions: asApprovalPermissions(deleted.approvalPermissions),
workingGroupId: asNullableString(deleted.workingGroupId),
@@ -423,7 +441,7 @@ export async function POST(_: Request, { params }: Context) {
case "user.update": {
const previous = asRecord(rollback.previous, "Nutzer");
const role = asString(previous.role, "Rolle") as "ADMIN" | "FINANCE" | "MEMBER";
const role = asRole(previous.role);
await tx.user.update({
where: {

4
src/app/api/budgets/[id]/route.ts
View File

@@ -40,7 +40,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Budgets aendern." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Budgets aendern." }, { status: 403 });
}
const budget = await prisma.budget.findUnique({
@@ -115,7 +115,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Budgets loeschen." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Budgets loeschen." }, { status: 403 });
}
const budget = await prisma.budget.findUnique({

2
src/app/api/budgets/route.ts
View File

@@ -34,7 +34,7 @@ export async function POST(request: Request) {
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Budgets verwalten." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Budgets verwalten." }, { status: 403 });
}
const body = await request.json().catch(() => null);

4
src/app/api/expenses/[id]/documented/route.ts
View File

@@ -27,7 +27,7 @@ export async function POST(request: Request, { params }: Context) {
}
if (!canDocumentExpense(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen dokumentieren." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein oder AG Finanzen duerfen dokumentieren." }, { status: 403 });
}
const expense = await prisma.expense.findUnique({
@@ -50,7 +50,7 @@ export async function POST(request: Request, { params }: Context) {
const parsed = documentedSchema.safeParse(body);
if (!parsed.success) {
return NextResponse.json({ error: "Beleg-URL ist ungueltig." }, { status: 400 });
return NextResponse.json({ error: "Beleg-Link ist ungueltig." }, { status: 400 });
}
const updatedExpense = await prisma.expense.update({

2
src/app/api/expenses/[id]/paid/route.ts
View File

@@ -20,7 +20,7 @@ export async function POST(_: Request, { params }: Context) {
}
if (!canMarkPaid(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Bezahlt setzen." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein oder AG Finanzen duerfen Bezahlt setzen." }, { status: 403 });
}
const expense = await prisma.expense.findUnique({

67
src/app/api/expenses/[id]/proof/route.ts Normal file
View File

@@ -0,0 +1,67 @@
import { NextResponse } from "next/server";
import { canDocumentExpense } from "@/lib/domain";
import { uploadExpenseProofToDrive } from "@/lib/google-drive";
import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
const ACCEPTED_MIME_TYPES = new Set(["application/pdf", "image/jpeg", "image/png", "image/webp", "image/heic", "image/heif"]);
const MAX_FILE_SIZE = 12 * 1024 * 1024;
type Context = {
params: Promise<{
id: string;
}>;
};
export async function POST(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
return NextResponse.json({ error: "Nicht angemeldet." }, { status: 401 });
}
const expense = await prisma.expense.findUnique({
where: { id }
});
if (!expense) {
return NextResponse.json({ error: "Ausgabe nicht gefunden." }, { status: 404 });
}
if (expense.creatorId !== viewer.id && !canDocumentExpense(viewer.role)) {
return NextResponse.json({ error: "Du darfst fuer diese Ausgabe keinen Beleg hochladen." }, { status: 403 });
}
const formData = await request.formData().catch(() => null);
const file = formData?.get("file");
if (!(file instanceof File)) {
return NextResponse.json({ error: "Bitte einen Beleg als Bild oder PDF auswaehlen." }, { status: 400 });
}
if (!ACCEPTED_MIME_TYPES.has(file.type)) {
return NextResponse.json({ error: "Nur Bilder und PDFs sind als Beleg erlaubt." }, { status: 400 });
}
if (file.size > MAX_FILE_SIZE) {
return NextResponse.json({ error: "Der Beleg darf maximal 12 MB gross sein." }, { status: 400 });
}
const proofUrl = await uploadExpenseProofToDrive({
title: expense.title,
fileName: file.name,
mimeType: file.type,
buffer: Buffer.from(await file.arrayBuffer())
});
const updatedExpense = await prisma.expense.update({
where: { id: expense.id },
data: {
proofUrl
}
});
return NextResponse.json({ proofUrl, expense: updatedExpense });
}

3
src/app/api/expenses/[id]/route.ts
View File

@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
import { snapshotExpense } from "@/lib/audit-snapshots";
import { createAuditLog } from "@/lib/audit-log";
import { hasAdministrativeAccess } from "@/lib/domain";
import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
@@ -27,7 +28,7 @@ export async function DELETE(_: Request, { params }: Context) {
return NextResponse.json({ error: "Ausgabe nicht gefunden." }, { status: 404 });
}
const isAdminDelete = viewer.role === "ADMIN" || viewer.role === "FINANCE";
const isAdminDelete = hasAdministrativeAccess(viewer.role);
const isOwnPendingExpense =
viewer.id === expense.creatorId &&
expense.approvalStatus === "PENDING" &&

17
src/app/api/expenses/route.ts
View File

@@ -4,8 +4,9 @@ import { z } from "zod";
import { getAppSettings, toApprovalThresholdNumber } from "@/lib/app-settings";
import { snapshotExpense } from "@/lib/audit-snapshots";
import { createAuditLog } from "@/lib/audit-log";
import { canCreateExpenseForGroup, requiresManualApproval } from "@/lib/domain";
import { APPROVAL_FLOW, canCreateExpenseForGroup, requiresManualApproval } from "@/lib/domain";
import prisma from "@/lib/prisma";
import { notifyApprovalRequest } from "@/lib/push-notifications";
import { getCurrentViewer } from "@/lib/session";
function parseDateInput(value: string) {
@@ -100,6 +101,7 @@ export async function POST(request: Request) {
? parsed.data.recurrenceStartAt
: null;
const needsManualApproval = requiresManualApproval(parsed.data.amount, approvalThreshold);
const expense = await prisma.expense.create({
data: {
title: parsed.data.title,
@@ -112,10 +114,21 @@ export async function POST(request: Request) {
proofUrl: parsed.data.proofUrl,
recurrence: parsed.data.recurrence,
recurrenceStartAt,
approvalStatus: requiresManualApproval(parsed.data.amount, approvalThreshold) ? "PENDING" : "APPROVED"
approvalStatus: needsManualApproval ? "PENDING" : "APPROVED"
}
});
if (needsManualApproval) {
await notifyApprovalRequest(
{
id: expense.id,
title: expense.title,
amount: Number(expense.amount)
},
[...APPROVAL_FLOW]
);
}
await createAuditLog(prisma, {
actorId: viewer.id,
action: "expense.create",

2
src/app/api/export/csv/route.ts
View File

@@ -67,7 +67,7 @@ export async function GET() {
}
if (!canManageUsers(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen CSV-Backups herunterladen." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen CSV-Backups herunterladen." }, { status: 403 });
}
const [appSettings, users, accountingPeriods, workingGroups, auditLogs] = await Promise.all([

21
src/app/api/import/csv/route.ts
View File

@@ -28,9 +28,24 @@ function toNumber(value: string | undefined) {
return Number.isFinite(parsed) ? parsed : null;
}
function toRole(value: string | undefined): "BOARD" | "ORGA" | "FINANCE" | "MEMBER" {
switch (value) {
case "ADMIN":
case "BOARD":
return "BOARD";
case "ORGA":
return "ORGA";
case "FINANCE":
return "FINANCE";
case "MEMBER":
default:
return "MEMBER";
}
}
function toApprovalPermissions(
value: string | undefined,
role: "ADMIN" | "FINANCE" | "MEMBER",
role: "BOARD" | "ORGA" | "FINANCE" | "MEMBER",
approvalPreference: "CHAIR_A" | "CHAIR_B" | "FINANCE" | null
) {
const explicitPermissions = value
@@ -51,7 +66,7 @@ export async function POST(request: Request) {
}
if (!canManageUsers(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Backups einspielen." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Backups einspielen." }, { status: 403 });
}
const formData = await request.formData().catch(() => null);
@@ -145,7 +160,7 @@ export async function POST(request: Request) {
}
for (const row of userRows) {
const role = row.role as "ADMIN" | "FINANCE" | "MEMBER";
const role = toRole(row.role);
const approvalPreference = toNullable(row.approvalPreference) as "CHAIR_A" | "CHAIR_B" | "FINANCE" | null;
const approvalPermissions = toApprovalPermissions(row.approvalPermissions, role, approvalPreference);

4
src/app/api/periods/[id]/route.ts
View File

@@ -28,7 +28,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zeiträume bearbeiten." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Zeiträume bearbeiten." }, { status: 403 });
}
const body = await request.json().catch(() => null);
@@ -110,7 +110,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zeiträume löschen." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Zeiträume löschen." }, { status: 403 });
}
const period = await prisma.accountingPeriod.findUnique({

2
src/app/api/periods/current/route.ts
View File

@@ -18,7 +18,7 @@ export async function PATCH(request: Request) {
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen den aktuellen Zeitraum wechseln." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen den aktuellen Zeitraum wechseln." }, { status: 403 });
}
const body = await request.json().catch(() => null);

2
src/app/api/periods/route.ts
View File

@@ -22,7 +22,7 @@ export async function POST(request: Request) {
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zeiträume verwalten." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Zeiträume verwalten." }, { status: 403 });
}
const body = await request.json().catch(() => null);

71
src/app/api/push-subscriptions/route.ts Normal file
View File

@@ -0,0 +1,71 @@
import { NextResponse } from "next/server";
import { z } from "zod";
import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
const subscriptionSchema = z.object({
endpoint: z.string().url(),
keys: z.object({
p256dh: z.string().min(1),
auth: z.string().min(1)
})
});
export async function POST(request: Request) {
const viewer = await getCurrentViewer();
if (!viewer) {
return NextResponse.json({ error: "Nicht angemeldet." }, { status: 401 });
}
const body = await request.json().catch(() => null);
const parsed = subscriptionSchema.safeParse(body);
if (!parsed.success) {
return NextResponse.json({ error: "Push-Subscription ist ungueltig." }, { status: 400 });
}
await prisma.pushSubscription.upsert({
where: {
endpoint: parsed.data.endpoint
},
update: {
userId: viewer.id,
p256dh: parsed.data.keys.p256dh,
auth: parsed.data.keys.auth
},
create: {
userId: viewer.id,
endpoint: parsed.data.endpoint,
p256dh: parsed.data.keys.p256dh,
auth: parsed.data.keys.auth
}
});
return NextResponse.json({ ok: true });
}
export async function DELETE(request: Request) {
const viewer = await getCurrentViewer();
if (!viewer) {
return NextResponse.json({ error: "Nicht angemeldet." }, { status: 401 });
}
const body = await request.json().catch(() => null);
const parsed = z.object({ endpoint: z.string().url() }).safeParse(body);
if (!parsed.success) {
return NextResponse.json({ error: "Push-Subscription ist ungueltig." }, { status: 400 });
}
await prisma.pushSubscription.deleteMany({
where: {
endpoint: parsed.data.endpoint,
userId: viewer.id
}
});
return NextResponse.json({ ok: true });
}

2
src/app/api/settings/route.ts
View File

@@ -20,7 +20,7 @@ export async function PATCH(request: Request) {
}
if (!canManageUsers(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Einstellungen aendern." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Einstellungen aendern." }, { status: 403 });
}
const body = await request.json().catch(() => null);

2
src/app/api/users/[id]/password/route.ts
View File

@@ -26,7 +26,7 @@ export async function POST(request: Request, { params }: Context) {
}
if (!canManageUsers(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Passwörter neu setzen." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Passwörter neu setzen." }, { status: 403 });
}
const body = await request.json().catch(() => null);

33
src/app/api/users/[id]/route.ts
View File

@@ -3,29 +3,22 @@ import { z } from "zod";
import { snapshotUser } from "@/lib/audit-snapshots";
import { createAuditLog } from "@/lib/audit-log";
import {
APPROVAL_FLOW,
canManageUsers,
getLegacyApprovalPreference,
normalizeApprovalPermissions
} from "@/lib/domain";
import { canManageUsers, getLegacyApprovalPreference, normalizeApprovalPermissions } from "@/lib/domain";
import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
const userRoleSchema = z.enum(["ADMIN", "FINANCE", "MEMBER"]);
const approvalPermissionSchema = z.enum(APPROVAL_FLOW);
const userRoleSchema = z.enum(["BOARD", "ORGA", "FINANCE", "MEMBER"]);
const updateUserSchema = z.object({
role: userRoleSchema,
workingGroupId: z.union([z.string().trim().min(1), z.literal(""), z.null(), z.undefined()]),
approvalPermissions: z.array(approvalPermissionSchema).default([])
workingGroupId: z.union([z.string().trim().min(1), z.literal(""), z.null(), z.undefined()])
});
function serializeManagedUser(user: {
id: string;
name: string;
username: string;
role: "ADMIN" | "FINANCE" | "MEMBER";
role: "BOARD" | "ORGA" | "FINANCE" | "MEMBER";
workingGroupId: string | null;
workingGroup: { name: string } | null;
approvalPreference: "CHAIR_A" | "CHAIR_B" | "FINANCE" | null;
@@ -63,14 +56,14 @@ export async function PATCH(request: Request, { params }: Context) {
}
if (!canManageUsers(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Nutzer bearbeiten." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Nutzer bearbeiten." }, { status: 403 });
}
const body = await request.json().catch(() => null);
const parsed = updateUserSchema.safeParse(body);
if (!parsed.success) {
return NextResponse.json({ error: "Bitte Rolle, AG und Freigaberollen korrekt angeben." }, { status: 400 });
return NextResponse.json({ error: "Bitte Rolle und AG korrekt angeben." }, { status: 400 });
}
const user = await prisma.user.findUnique({
@@ -99,9 +92,9 @@ export async function PATCH(request: Request, { params }: Context) {
}
}
if (user.role === "ADMIN" && parsed.data.role !== "ADMIN") {
if (user.role === "BOARD" && parsed.data.role !== "BOARD") {
const adminCount = await prisma.user.count({
where: { role: "ADMIN" }
where: { role: "BOARD" }
});
if (adminCount <= 1) {
@@ -109,7 +102,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
}
const approvalPermissions = normalizeApprovalPermissions(parsed.data.role, parsed.data.approvalPermissions, null);
const approvalPermissions = normalizeApprovalPermissions(parsed.data.role, null, null);
const approvalPreference = getLegacyApprovalPreference(approvalPermissions);
const previousSnapshot = snapshotUser(user);
@@ -172,7 +165,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
if (!canManageUsers(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Nutzer löschen." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Nutzer löschen." }, { status: 403 });
}
if (viewer.id === id) {
@@ -202,13 +195,13 @@ export async function DELETE(_: Request, { params }: Context) {
);
}
if (user.role === "ADMIN") {
if (user.role === "BOARD") {
const adminCount = await prisma.user.count({
where: { role: "ADMIN" }
where: { role: "BOARD" }
});
if (adminCount <= 1) {
return NextResponse.json({ error: "Mindestens ein Admin muss erhalten bleiben." }, { status: 400 });
return NextResponse.json({ error: "Mindestens ein Vorstandskonto muss erhalten bleiben." }, { status: 400 });
}
}

19
src/app/api/users/route.ts
View File

@@ -4,31 +4,24 @@ import { z } from "zod";
import { snapshotUser } from "@/lib/audit-snapshots";
import { createAuditLog } from "@/lib/audit-log";
import {
APPROVAL_FLOW,
canManageUsers,
getLegacyApprovalPreference,
normalizeApprovalPermissions
} from "@/lib/domain";
import { canManageUsers, getLegacyApprovalPreference, normalizeApprovalPermissions } from "@/lib/domain";
import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
const userRoleSchema = z.enum(["ADMIN", "FINANCE", "MEMBER"]);
const approvalPermissionSchema = z.enum(APPROVAL_FLOW);
const userRoleSchema = z.enum(["BOARD", "ORGA", "FINANCE", "MEMBER"]);
const createUserSchema = z.object({
username: z.string().trim().min(2).max(40),
password: z.string().min(8).max(128),
role: userRoleSchema,
workingGroupId: z.union([z.string().trim().min(1), z.literal(""), z.null(), z.undefined()]),
approvalPermissions: z.array(approvalPermissionSchema).default([])
workingGroupId: z.union([z.string().trim().min(1), z.literal(""), z.null(), z.undefined()])
});
function serializeManagedUser(user: {
id: string;
name: string;
username: string;
role: "ADMIN" | "FINANCE" | "MEMBER";
role: "BOARD" | "ORGA" | "FINANCE" | "MEMBER";
workingGroupId: string | null;
workingGroup: { name: string } | null;
approvalPreference: "CHAIR_A" | "CHAIR_B" | "FINANCE" | null;
@@ -59,7 +52,7 @@ export async function POST(request: Request) {
}
if (!canManageUsers(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Nutzer anlegen." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Nutzer anlegen." }, { status: 403 });
}
const body = await request.json().catch(() => null);
@@ -75,7 +68,7 @@ export async function POST(request: Request) {
: null;
const approvalPermissions = normalizeApprovalPermissions(
parsed.data.role,
parsed.data.approvalPermissions,
null,
null
);

4
src/app/api/working-groups/[id]/route.ts
View File

@@ -26,7 +26,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen AGs bearbeiten." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen AGs bearbeiten." }, { status: 403 });
}
const body = await request.json().catch(() => null);
@@ -97,7 +97,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen AGs löschen." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen AGs löschen." }, { status: 403 });
}
const workingGroup = await prisma.workingGroup.findUnique({

2
src/app/api/working-groups/route.ts
View File

@@ -19,7 +19,7 @@ export async function POST(request: Request) {
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen AGs verwalten." }, { status: 403 });
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen AGs verwalten." }, { status: 403 });
}
const body = await request.json().catch(() => null);

67
src/components/dashboard/budget-column.tsx
View File

@@ -10,6 +10,7 @@ import ExpandMoreRoundedIcon from "@mui/icons-material/ExpandMoreRounded";
import EuroRoundedIcon from "@mui/icons-material/EuroRounded";
import ReceiptLongRoundedIcon from "@mui/icons-material/ReceiptLongRounded";
import TaskAltRoundedIcon from "@mui/icons-material/TaskAltRounded";
import UploadFileRoundedIcon from "@mui/icons-material/UploadFileRounded";
import {
Box,
Button,
@@ -49,6 +50,7 @@ type BudgetColumnProps = {
onApprove: (expenseId: string, approvalType: "CHAIR_A" | "CHAIR_B" | "FINANCE") => Promise<void>;
onMarkPaid: (expenseId: string) => Promise<void>;
onDocument: (expenseId: string, proofUrl?: string) => Promise<void>;
onUploadProof: (expenseId: string, file: File) => Promise<string>;
onSaveWorkingGroup: (groupId: string, name: string) => Promise<void>;
onDeleteWorkingGroup: (groupId: string, groupName: string) => Promise<void>;
onSaveBudget: (budgetId: string, name: string, totalBudget: string, colorCode: string) => Promise<void>;
@@ -140,6 +142,7 @@ export function BudgetColumn({
onApprove,
onMarkPaid,
onDocument,
onUploadProof,
onSaveWorkingGroup,
onDeleteWorkingGroup,
onSaveBudget,
@@ -153,6 +156,7 @@ export function BudgetColumn({
const [isEditingGroup, setIsEditingGroup] = useState(false);
const [groupDraftName, setGroupDraftName] = useState(group.name);
const [proofUrlDrafts, setProofUrlDrafts] = useState<Record<string, string>>({});
const [proofFileDrafts, setProofFileDrafts] = useState<Record<string, File | null>>({});
const [expandedRecurringExpenses, setExpandedRecurringExpenses] = useState<Record<string, boolean>>({});
const budgetCardWidth = 352;
@@ -771,7 +775,17 @@ export function BudgetColumn({
size="small"
variant="contained"
disabled={busy}
onClick={() => onApprove(expense.id, approvalType)}
onClick={() => {
if (
!window.confirm(
`Freigabe wirklich setzen?\n\nAusgabe: ${expense.title}\nBetrag: ${formatCurrency(expense.amount)}\nRolle: ${approvalLabel(approvalType)}\n\nMit deiner Freigabe bestaetigst du, dass du die Ausgabe plausibel geprueft hast und die Verantwortung fuer diesen Freigabeschritt uebernimmst.`
)
) {
return;
}
onApprove(expense.id, approvalType);
}}
>
Freigeben als {approvalLabel(approvalType)}
</Button>
@@ -818,25 +832,54 @@ export function BudgetColumn({
{expense.paidAt && !expense.documentedAt && canDocumentExpense(viewer.role) ? (
<Stack direction={{ xs: "column", sm: "row" }} gap={1}>
<TextField
label="Beleg-URL"
value={proofUrlDrafts[expense.id] ?? expense.proofUrl ?? ""}
onChange={(event) =>
setProofUrlDrafts((current) => ({
...current,
[expense.id]: event.target.value
}))
}
label="Beleg"
value={proofFileDrafts[expense.id]?.name ?? expense.proofUrl ?? ""}
InputProps={{ readOnly: true }}
size="small"
fullWidth
/>
<Button component="label" size="small" variant="outlined" startIcon={<UploadFileRoundedIcon />} disabled={busy}>
Datei
<input
hidden
type="file"
accept="image/*,application/pdf"
onChange={(event) =>
setProofFileDrafts((current) => ({
...current,
[expense.id]: event.target.files?.[0] ?? null
}))
}
/>
</Button>
<Button component="label" size="small" variant="outlined" disabled={busy}>
Kamera
<input
hidden
type="file"
accept="image/*"
capture="environment"
onChange={(event) =>
setProofFileDrafts((current) => ({
...current,
[expense.id]: event.target.files?.[0] ?? null
}))
}
/>
</Button>
<Button
size="small"
variant="contained"
color="success"
disabled={busy}
onClick={() =>
onDocument(expense.id, proofUrlDrafts[expense.id] ?? expense.proofUrl ?? undefined)
}
onClick={async () => {
const proofFile = proofFileDrafts[expense.id];
const proofUrl = proofFile
? await onUploadProof(expense.id, proofFile)
: proofUrlDrafts[expense.id] ?? expense.proofUrl ?? undefined;
await onDocument(expense.id, proofUrl);
}}
>
Dokumentieren
</Button>

216
src/components/dashboard/dashboard-shell.tsx
View File

@@ -6,7 +6,9 @@ import DownloadRoundedIcon from "@mui/icons-material/DownloadRounded";
import EditRoundedIcon from "@mui/icons-material/EditRounded";
import KeyRoundedIcon from "@mui/icons-material/KeyRounded";
import LogoutRoundedIcon from "@mui/icons-material/LogoutRounded";
import NotificationsActiveRoundedIcon from "@mui/icons-material/NotificationsActiveRounded";
import SavingsRoundedIcon from "@mui/icons-material/SavingsRounded";
import UploadFileRoundedIcon from "@mui/icons-material/UploadFileRounded";
import VerifiedRoundedIcon from "@mui/icons-material/VerifiedRounded";
import WalletRoundedIcon from "@mui/icons-material/WalletRounded";
import {
@@ -67,7 +69,6 @@ type ExpenseFormState = {
budgetId: string;
recurrence: "NONE" | "MONTHLY";
recurrenceStartAt: string;
proofUrl: string;
};
type BudgetFormState = {
@@ -92,15 +93,13 @@ type ApprovalPermissionValue = (typeof APPROVAL_FLOW)[number];
type UserFormState = {
username: string;
password: string;
role: "ADMIN" | "FINANCE" | "MEMBER";
role: "BOARD" | "ORGA" | "FINANCE" | "MEMBER";
workingGroupId: string;
approvalPermissions: ApprovalPermissionValue[];
};
type ManagedUserDraft = {
role: "ADMIN" | "FINANCE" | "MEMBER";
role: "BOARD" | "ORGA" | "FINANCE" | "MEMBER";
workingGroupId: string;
approvalPermissions: ApprovalPermissionValue[];
};
type PeriodFormState = {
@@ -135,9 +134,10 @@ function toggleApprovalPermission(
}
function sortManagedUsersList(users: DashboardManagedUser[]) {
const roleOrder: Record<DashboardManagedUser["role"], number> = {
ADMIN: 0,
FINANCE: 1,
MEMBER: 2
BOARD: 0,
ORGA: 1,
FINANCE: 2,
MEMBER: 3
};
return [...users].sort((left, right) => {
@@ -235,6 +235,13 @@ async function parseResponse(response: Response) {
return payload;
}
function urlBase64ToUint8Array(value: string) {
const padding = "=".repeat((4 - (value.length % 4)) % 4);
const base64 = `${value}${padding}`.replace(/-/g, "+").replace(/_/g, "/");
const rawData = window.atob(base64);
return Uint8Array.from([...rawData], (character) => character.charCodeAt(0));
}
export function DashboardShell({
viewer,
workingGroups,
@@ -279,8 +286,7 @@ export function DashboardShell({
agId: defaultEditableGroup?.id ?? "",
budgetId: defaultBudget?.id ?? "",
recurrence: "NONE",
recurrenceStartAt: toDateInputValue(currentPeriod?.startsAt ?? new Date().toISOString()),
proofUrl: ""
recurrenceStartAt: toDateInputValue(currentPeriod?.startsAt ?? new Date().toISOString())
});
const [budgetForm, setBudgetForm] = useState<BudgetFormState>({
workingGroupId: visibleGroups[0]?.id ?? "",
@@ -300,8 +306,7 @@ export function DashboardShell({
username: "",
password: "",
role: "MEMBER",
workingGroupId: visibleGroups[0]?.id ?? "",
approvalPermissions: []
workingGroupId: visibleGroups[0]?.id ?? ""
});
const [message, setMessage] = useState<DashboardMessage | null>(null);
const [busy, setBusy] = useState(false);
@@ -320,6 +325,8 @@ export function DashboardShell({
const [approvalThresholdDraft, setApprovalThresholdDraft] = useState(approvalThreshold.toFixed(2));
const [periodForm, setPeriodForm] = useState<PeriodFormState>(getSuggestedPeriodDraft(currentPeriod));
const [periodEditForm, setPeriodEditForm] = useState<PeriodEditFormState>(getPeriodEditDraft(currentPeriod));
const [expenseProofFile, setExpenseProofFile] = useState<File | null>(null);
const [pushStatus, setPushStatus] = useState<"idle" | "enabled" | "blocked" | "unsupported">("idle");
useEffect(() => {
if (visibleGroups.length === 0) {
setSelectedMobileGroupId("");
@@ -505,8 +512,7 @@ export function DashboardShell({
function getManagedUserDraft(user: DashboardManagedUser): ManagedUserDraft {
return userDrafts[user.id] ?? {
role: user.role,
workingGroupId: user.workingGroupId ?? "",
approvalPermissions: sortApprovalPermissions(user.approvalPermissions)
workingGroupId: user.workingGroupId ?? ""
};
}
@@ -525,8 +531,7 @@ export function DashboardShell({
...current,
[user.id]: {
role: user.role,
workingGroupId: user.workingGroupId ?? "",
approvalPermissions: sortApprovalPermissions(user.approvalPermissions)
workingGroupId: user.workingGroupId ?? ""
}
}));
}
@@ -621,7 +626,7 @@ export function DashboardShell({
}
await runAction(async () => {
await parseResponse(
const result = (await parseResponse(
await fetch("/api/expenses", {
method: "POST",
headers: {
@@ -634,11 +639,22 @@ export function DashboardShell({
agId: expenseForm.agId,
budgetId: expenseForm.budgetId,
recurrence: expenseForm.recurrence,
recurrenceStartAt: expenseForm.recurrence === "MONTHLY" ? expenseForm.recurrenceStartAt : "",
proofUrl: expenseForm.proofUrl
recurrenceStartAt: expenseForm.recurrence === "MONTHLY" ? expenseForm.recurrenceStartAt : ""
})
})
);
)) as { expense?: { id: string } };
if (expenseProofFile && result.expense?.id) {
const formData = new FormData();
formData.set("file", expenseProofFile);
await parseResponse(
await fetch(`/api/expenses/${result.expense.id}/proof`, {
method: "POST",
body: formData
})
);
}
const resetGroup = defaultEditableGroup?.id ?? "";
const resetBudget = defaultEditableGroup?.budgets[0]?.id ?? "";
@@ -650,9 +666,9 @@ export function DashboardShell({
agId: resetGroup,
budgetId: resetBudget,
recurrence: "NONE",
recurrenceStartAt: toDateInputValue(currentPeriod?.startsAt ?? new Date().toISOString()),
proofUrl: ""
recurrenceStartAt: toDateInputValue(currentPeriod?.startsAt ?? new Date().toISOString())
});
setExpenseProofFile(null);
}, "Ausgabe wurde gespeichert.");
}
@@ -751,6 +767,20 @@ export function DashboardShell({
}, "Ausgabe wurde dokumentiert.");
}
async function handleUploadProof(expenseId: string, file: File) {
const formData = new FormData();
formData.set("file", file);
const result = (await parseResponse(
await fetch(`/api/expenses/${expenseId}/proof`, {
method: "POST",
body: formData
})
)) as { proofUrl: string };
return result.proofUrl;
}
async function handleSaveBudget(budgetId: string, name: string, totalBudget: string, colorCode: string) {
await runAction(async () => {
await parseResponse(
@@ -945,8 +975,7 @@ export function DashboardShell({
username: createdUsername,
password: userForm.password,
role: userForm.role,
workingGroupId: userForm.workingGroupId,
approvalPermissions: sortApprovalPermissions(userForm.approvalPermissions)
workingGroupId: userForm.workingGroupId
})
})
)) as { user?: DashboardManagedUser };
@@ -961,8 +990,7 @@ export function DashboardShell({
username: "",
password: "",
role: "MEMBER",
workingGroupId: visibleGroups[0]?.id ?? "",
approvalPermissions: []
workingGroupId: visibleGroups[0]?.id ?? ""
});
return {
@@ -987,8 +1015,7 @@ export function DashboardShell({
},
body: JSON.stringify({
role: draft.role,
workingGroupId: draft.workingGroupId,
approvalPermissions: sortApprovalPermissions(draft.approvalPermissions)
workingGroupId: draft.workingGroupId
})
})
)) as { user?: DashboardManagedUser };
@@ -1028,6 +1055,51 @@ export function DashboardShell({
);
}, `Freigabe-Schwelle wurde auf ${nextThreshold.toFixed(2)} EUR gesetzt.`);
}
async function handleEnablePushNotifications() {
if (!("serviceWorker" in navigator) || !("PushManager" in window) || !("Notification" in window)) {
setPushStatus("unsupported");
setMessage({ type: "error", text: "Dieser Browser unterstuetzt Web Push nicht." });
return;
}
const publicKey = process.env.NEXT_PUBLIC_VAPID_PUBLIC_KEY;
if (!publicKey) {
setMessage({ type: "error", text: "VAPID Public Key ist nicht konfiguriert." });
return;
}
const permission = await Notification.requestPermission();
if (permission !== "granted") {
setPushStatus("blocked");
setMessage({ type: "error", text: "Benachrichtigungen wurden nicht erlaubt." });
return;
}
await runAction(async () => {
const registration = await navigator.serviceWorker.ready;
const existingSubscription = await registration.pushManager.getSubscription();
const subscription =
existingSubscription ??
(await registration.pushManager.subscribe({
userVisibleOnly: true,
applicationServerKey: urlBase64ToUint8Array(publicKey)
}));
await parseResponse(
await fetch("/api/push-subscriptions", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify(subscription.toJSON())
})
);
setPushStatus("enabled");
}, "Web Push ist für dieses Gerät aktiviert.");
}
async function handleDeleteUser(userId: string) {
await runAction(async () => {
await parseResponse(
@@ -1206,7 +1278,7 @@ export function DashboardShell({
Zeitraum wechseln
</Typography>
<Typography variant="body2" color="text.secondary">
{"Nur Vorstand und Finanz-AG können die aktuelle Übersicht global umstellen."}
{"Nur Vorstand allgemein, AG Orga und AG Finanzen können die aktuelle Übersicht global umstellen."}
</Typography>
</Box>
<Box
@@ -1413,6 +1485,17 @@ export function DashboardShell({
Neue Ausgabe
</Typography>
</Box>
{viewer.approvalPermissions.length > 0 ? (
<Button
type="button"
variant={pushStatus === "enabled" ? "contained" : "outlined"}
startIcon={<NotificationsActiveRoundedIcon />}
disabled={busy || pushStatus === "unsupported"}
onClick={handleEnablePushNotifications}
>
{pushStatus === "enabled" ? "Web Push aktiv" : "Freigabe-Push aktivieren"}
</Button>
) : null}
<Box component="form" onSubmit={handleCreateExpense}>
<Stack spacing={2}>
@@ -1512,11 +1595,33 @@ export function DashboardShell({
))}
</TextField>
<TextField
label="Beleg-URL (optional)"
value={expenseForm.proofUrl}
onChange={(event) => setExpenseForm((current) => ({ ...current, proofUrl: event.target.value }))}
label="Beleg"
value={expenseProofFile?.name ?? ""}
fullWidth
InputProps={{ readOnly: true }}
helperText="Optional: Bild oder PDF auswählen. Auf Mobilgeräten kann die Kamera angeboten werden."
/>
<Stack direction={{ xs: "column", sm: "row" }} gap={1} useFlexGap flexWrap="wrap">
<Button component="label" variant="outlined" startIcon={<UploadFileRoundedIcon />} disabled={busy}>
Beleg auswählen
<input
hidden
type="file"
accept="image/*,application/pdf"
onChange={(event) => setExpenseProofFile(event.target.files?.[0] ?? null)}
/>
</Button>
<Button component="label" variant="outlined" disabled={busy}>
Kamera öffnen
<input
hidden
type="file"
accept="image/*"
capture="environment"
onChange={(event) => setExpenseProofFile(event.target.files?.[0] ?? null)}
/>
</Button>
</Stack>
<Button
type="submit"
variant="contained"
@@ -1853,8 +1958,9 @@ export function DashboardShell({
}}
required
>
<MenuItem value="ADMIN">Vorstand</MenuItem>
<MenuItem value="FINANCE">Finanz-AG</MenuItem>
<MenuItem value="BOARD">Vorstand allgemein</MenuItem>
<MenuItem value="ORGA">AG Orga</MenuItem>
<MenuItem value="FINANCE">AG Finanzen</MenuItem>
<MenuItem value="MEMBER">AG-Mitglied</MenuItem>
</TextField>
<TextField
@@ -1872,7 +1978,7 @@ export function DashboardShell({
? "Lege zuerst eine AG an."
: userForm.role === "MEMBER"
? "AG-Mitglieder brauchen eine feste AG-Zuordnung."
: "Optional: Auch Vorstand und Finanz-AG können einer AG zugeordnet werden."
: "Optional: Verwaltungsrollen können einer AG zugeordnet werden."
}
>
{userForm.role !== "MEMBER" ? <MenuItem value="">Ohne AG</MenuItem> : null}
@@ -1882,16 +1988,11 @@ export function DashboardShell({
</MenuItem>
))}
</TextField>
{renderApprovalPermissionSelector(
userForm.approvalPermissions,
(approvalType) =>
setUserForm((current) => ({
...current,
approvalPermissions: toggleApprovalPermission(current.approvalPermissions, approvalType)
})),
"Lege fest, für welche Freigabeschritte dieses Konto zeichnen darf.",
getAvailableApprovalRoles(userForm.role)
)}
<Typography variant="body2" color="text.secondary">
{getAvailableApprovalRoles(userForm.role).length > 0
? `Freigabe automatisch: ${getAvailableApprovalRoles(userForm.role).map(approvalLabel).join(", ")}`
: "Diese Rolle kann keine Ausgaben freigeben."}
</Typography>
<Button type="submit" variant="outlined" disabled={busy}>
Nutzer speichern
</Button>
@@ -1938,7 +2039,7 @@ export function DashboardShell({
Nutzer verwalten
</Typography>
<Typography color="text.secondary">
{"Bestehende Passwörter bleiben sicher gehasht. Hier kannst du Rolle, AG-Zuordnung, Freigaberollen und Passwörter pflegen."}
{"Bestehende Passwörter bleiben sicher gehasht. Hier kannst du Rolle, AG-Zuordnung und Passwörter pflegen."}
</Typography>
</Box>
<Stack spacing={1.4}>
@@ -2049,8 +2150,9 @@ export function DashboardShell({
}}
fullWidth
>
<MenuItem value="ADMIN">Vorstand</MenuItem>
<MenuItem value="FINANCE">Finanz-AG</MenuItem>
<MenuItem value="BOARD">Vorstand allgemein</MenuItem>
<MenuItem value="ORGA">AG Orga</MenuItem>
<MenuItem value="FINANCE">AG Finanzen</MenuItem>
<MenuItem value="MEMBER">AG-Mitglied</MenuItem>
</TextField>
<TextField
@@ -2066,7 +2168,7 @@ export function DashboardShell({
? "Lege zuerst eine AG an."
: draft.role === "MEMBER"
? "AG-Mitglieder brauchen eine feste AG-Zuordnung."
: "Optional: Auch Vorstand und Finanz-AG können einer AG zugeordnet werden."
: "Optional: Verwaltungsrollen können einer AG zugeordnet werden."
}
>
{draft.role !== "MEMBER" ? <MenuItem value="">Ohne AG</MenuItem> : null}
@@ -2076,15 +2178,11 @@ export function DashboardShell({
</MenuItem>
))}
</TextField>
{renderApprovalPermissionSelector(
draft.approvalPermissions,
(approvalType) =>
updateManagedUserDraft(user, {
approvalPermissions: toggleApprovalPermission(draft.approvalPermissions, approvalType)
}),
"Lege fest, welche Freigabeschritte dieses Konto autorisieren darf.",
getAvailableApprovalRoles(draft.role)
)}
<Typography variant="body2" color="text.secondary">
{getAvailableApprovalRoles(draft.role).length > 0
? `Freigabe automatisch: ${getAvailableApprovalRoles(draft.role).map(approvalLabel).join(", ")}`
: "Diese Rolle kann keine Ausgaben freigeben."}
</Typography>
<Stack direction="row" gap={1} useFlexGap flexWrap="wrap">
<Button type="button" variant="contained" disabled={busy} onClick={() => handleUpdateUser(user)}>
Nutzer speichern
@@ -2321,6 +2419,7 @@ export function DashboardShell({
onApprove={handleApprove}
onMarkPaid={handleMarkPaid}
onDocument={handleDocument}
onUploadProof={handleUploadProof}
onSaveWorkingGroup={handleSaveWorkingGroup}
onDeleteWorkingGroup={handleDeleteWorkingGroup}
onSaveBudget={handleSaveBudget}
@@ -2363,6 +2462,7 @@ export function DashboardShell({
onApprove={handleApprove}
onMarkPaid={handleMarkPaid}
onDocument={handleDocument}
onUploadProof={handleUploadProof}
onSaveWorkingGroup={handleSaveWorkingGroup}
onDeleteWorkingGroup={handleDeleteWorkingGroup}
onSaveBudget={handleSaveBudget}

51
src/lib/domain.ts
View File

@@ -14,7 +14,7 @@ export const COLOR_PRESETS = [
"#3FAF88"
] as const;
export type AppRole = "ADMIN" | "FINANCE" | "MEMBER";
export type AppRole = "BOARD" | "ORGA" | "FINANCE" | "MEMBER";
export type ApprovalTypeValue = (typeof APPROVAL_FLOW)[number];
export type ApprovalStatusValue = "PENDING" | "APPROVED";
export type ExpenseRecurrenceValue = "NONE" | "MONTHLY";
@@ -25,10 +25,12 @@ export function requiresManualApproval(amount: number, approvalThreshold = DEFAU
export function roleLabel(role: AppRole) {
switch (role) {
case "ADMIN":
return "Vorstand";
case "BOARD":
return "Vorstand allgemein";
case "ORGA":
return "AG Orga";
case "FINANCE":
return "Finanz-AG";
return "AG Finanzen";
case "MEMBER":
return "AG-Mitglied";
}
@@ -37,11 +39,11 @@ export function roleLabel(role: AppRole) {
export function approvalLabel(approvalType: ApprovalTypeValue) {
switch (approvalType) {
case "CHAIR_A":
return "Vorstand A";
return "AG Orga";
case "CHAIR_B":
return "Vorstand B";
return "Vorstand allgemein";
case "FINANCE":
return "Finanz-AG";
return "AG Finanzen";
}
}
@@ -55,7 +57,7 @@ export function recurrenceLabel(recurrence: ExpenseRecurrenceValue) {
}
export function hasAdministrativeAccess(role: AppRole) {
return role === "ADMIN" || role === "FINANCE";
return role === "BOARD" || role === "ORGA" || role === "FINANCE";
}
export function canManageBudgets(role: AppRole) {
@@ -67,11 +69,11 @@ export function canManageUsers(role: AppRole) {
}
export function canMarkPaid(role: AppRole) {
return hasAdministrativeAccess(role);
return role === "BOARD" || role === "FINANCE";
}
export function canDocumentExpense(role: AppRole) {
return hasAdministrativeAccess(role);
return role === "BOARD" || role === "FINANCE";
}
export function canCreateExpenseForGroup(role: AppRole, viewerGroupId: string | null, targetGroupId: string) {
@@ -90,7 +92,7 @@ export function canDeleteExpense(
paidAt: string | null,
documentedAt: string | null
) {
if (role === "ADMIN" || role === "FINANCE") {
if (hasAdministrativeAccess(role)) {
return true;
}
@@ -99,8 +101,10 @@ export function canDeleteExpense(
export function getAvailableApprovalRoles(role: AppRole): ApprovalTypeValue[] {
switch (role) {
case "ADMIN":
return ["CHAIR_A", "CHAIR_B"];
case "BOARD":
return ["CHAIR_B"];
case "ORGA":
return ["CHAIR_A"];
case "FINANCE":
return ["FINANCE"];
case "MEMBER":
@@ -109,24 +113,11 @@ export function getAvailableApprovalRoles(role: AppRole): ApprovalTypeValue[] {
}
export function normalizeApprovalPermissions(
_role: AppRole,
approvalPermissions: ApprovalTypeValue[] | null | undefined,
approvalPreference: ApprovalTypeValue | null | undefined = null
role: AppRole,
_approvalPermissions: ApprovalTypeValue[] | null | undefined,
_approvalPreference: ApprovalTypeValue | null | undefined = null
) {
const rawPermissions = approvalPermissions ?? (approvalPreference ? [approvalPreference] : []);
// Deduplizierung: behalte jeden Eintrag nur beim ersten Vorkommen
const seen = new Set<ApprovalTypeValue>();
const unique: ApprovalTypeValue[] = [];
for (const perm of rawPermissions) {
if (!seen.has(perm)) {
seen.add(perm);
unique.push(perm);
}
}
// Sortiere nach der Reihenfolge in APPROVAL_FLOW
return APPROVAL_FLOW.filter((type) => unique.includes(type)) as ApprovalTypeValue[];
return getAvailableApprovalRoles(role);
}
export function getLegacyApprovalPreference(approvalPermissions: ApprovalTypeValue[]) {

72
src/lib/google-drive.ts Normal file
View File

@@ -0,0 +1,72 @@
import { google } from "googleapis";
import { Readable } from "node:stream";
const DEFAULT_DRIVE_FOLDER_ID = "12zMANi_J0uvie16LUxSmfeqwGjKawEhJ";
function getDriveClient() {
const clientEmail = process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL;
const privateKey = process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY?.replace(/\\n/g, "\n");
if (!clientEmail || !privateKey) {
throw new Error("Google-Drive-Service-Account ist nicht konfiguriert.");
}
const auth = new google.auth.JWT({
email: clientEmail,
key: privateKey,
scopes: ["https://www.googleapis.com/auth/drive.file"]
});
return google.drive({ version: "v3", auth });
}
export function sanitizeDriveFileName(title: string, fallback = "beleg") {
const sanitized = title
.normalize("NFKD")
.replace(/[\u0300-\u036f]/g, "")
.replace(/[^a-zA-Z0-9._-]+/g, "-")
.replace(/^-+|-+$/g, "")
.slice(0, 80);
return sanitized || fallback;
}
export async function uploadExpenseProofToDrive(input: {
title: string;
fileName: string;
mimeType: string;
buffer: Buffer;
}) {
const drive = getDriveClient();
const folderId = process.env.GOOGLE_DRIVE_FOLDER_ID || DEFAULT_DRIVE_FOLDER_ID;
const extension = input.fileName.includes(".") ? `.${input.fileName.split(".").pop()}` : "";
const baseName = sanitizeDriveFileName(input.title);
const uniqueSuffix = new Date().toISOString().replace(/[-:]/g, "").replace(/\.\d{3}Z$/, "Z");
const name = `${baseName}-${uniqueSuffix}${extension}`;
const response = await drive.files.create({
requestBody: {
name,
parents: [folderId]
},
media: {
mimeType: input.mimeType,
body: Readable.from(input.buffer)
},
fields: "id, webViewLink"
});
if (!response.data.id) {
throw new Error("Google Drive hat keine Datei-ID zurueckgegeben.");
}
await drive.permissions.create({
fileId: response.data.id,
requestBody: {
type: "anyone",
role: "reader"
}
});
return response.data.webViewLink ?? `https://drive.google.com/file/d/${response.data.id}/view`;
}

94
src/lib/push-notifications.ts Normal file
View File

@@ -0,0 +1,94 @@
import webpush from "web-push";
import type { ApprovalType } from "@prisma/client";
import { approvalLabel } from "@/lib/domain";
import prisma from "@/lib/prisma";
type PushTargetExpense = {
id: string;
title: string;
amount: number;
};
function configureWebPush() {
const publicKey = process.env.NEXT_PUBLIC_VAPID_PUBLIC_KEY;
const privateKey = process.env.VAPID_PRIVATE_KEY;
const subject = process.env.VAPID_SUBJECT;
if (!publicKey || !privateKey || !subject) {
return false;
}
webpush.setVapidDetails(subject, publicKey, privateKey);
return true;
}
export function getApprovalRole(approvalType: ApprovalType) {
switch (approvalType) {
case "CHAIR_A":
return "ORGA";
case "CHAIR_B":
return "BOARD";
case "FINANCE":
return "FINANCE";
}
}
export async function notifyApprovalRequest(expense: PushTargetExpense, approvalTypes: ApprovalType[]) {
if (!configureWebPush() || approvalTypes.length === 0) {
return;
}
const roles = approvalTypes.map(getApprovalRole);
const subscriptions = await prisma.pushSubscription.findMany({
where: {
user: {
role: {
in: roles
}
}
},
include: {
user: {
select: {
role: true
}
}
}
});
await Promise.all(
subscriptions.map(async (subscription) => {
const approvalType = approvalTypes.find((type) => getApprovalRole(type) === subscription.user.role);
const payload = JSON.stringify({
title: "Freigabe angefragt",
body: `${expense.title} (${expense.amount.toFixed(2)} EUR) braucht ${approvalType ? approvalLabel(approvalType) : "deine Freigabe"}.`,
url: `/?expense=${encodeURIComponent(expense.id)}`,
tag: `approval-${expense.id}-${subscription.user.role}`
});
try {
await webpush.sendNotification(
{
endpoint: subscription.endpoint,
keys: {
p256dh: subscription.p256dh,
auth: subscription.auth
}
},
payload
);
} catch (error) {
const statusCode = typeof error === "object" && error && "statusCode" in error ? error.statusCode : null;
if (statusCode === 404 || statusCode === 410) {
await prisma.pushSubscription.delete({
where: {
endpoint: subscription.endpoint
}
});
}
}
})
);
}