Rollen Freigaben Push und Beleg Upload ueberarbeiten
This commit is contained in:
@@ -64,6 +64,24 @@ function asApprovalPermissions(value: unknown) {
|
||||
);
|
||||
}
|
||||
|
||||
function asRole(value: unknown) {
|
||||
const role = asString(value, "Rolle");
|
||||
|
||||
switch (role) {
|
||||
case "ADMIN":
|
||||
case "BOARD":
|
||||
return "BOARD";
|
||||
case "ORGA":
|
||||
return "ORGA";
|
||||
case "FINANCE":
|
||||
return "FINANCE";
|
||||
case "MEMBER":
|
||||
return "MEMBER";
|
||||
default:
|
||||
throw new Error("Rolle ist im Änderungsverlauf ungültig.");
|
||||
}
|
||||
}
|
||||
|
||||
export async function POST(_: Request, { params }: Context) {
|
||||
const { id } = await params;
|
||||
const viewer = await getCurrentViewer();
|
||||
@@ -73,7 +91,7 @@ export async function POST(_: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canManageUsers(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zustände zurücksetzen." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Zustände zurücksetzen." }, { status: 403 });
|
||||
}
|
||||
|
||||
const auditLog = await prisma.auditLog.findUnique({
|
||||
@@ -383,10 +401,10 @@ export async function POST(_: Request, { params }: Context) {
|
||||
throw new Error("Der Nutzer hat bereits Ausgaben oder Freigaben und kann nicht automatisch entfernt werden.");
|
||||
}
|
||||
|
||||
if (user.role === "ADMIN") {
|
||||
if (user.role === "BOARD") {
|
||||
const adminCount = await tx.user.count({
|
||||
where: {
|
||||
role: "ADMIN"
|
||||
role: "BOARD"
|
||||
}
|
||||
});
|
||||
|
||||
@@ -411,7 +429,7 @@ export async function POST(_: Request, { params }: Context) {
|
||||
username: asString(deleted.username, "Login-Name"),
|
||||
email: asNullableString(deleted.email),
|
||||
passwordHash: asString(deleted.passwordHash, "Passworthash"),
|
||||
role: asString(deleted.role, "Rolle") as "ADMIN" | "FINANCE" | "MEMBER",
|
||||
role: asRole(deleted.role),
|
||||
approvalPreference: asNullableString(deleted.approvalPreference) as "CHAIR_A" | "CHAIR_B" | "FINANCE" | null,
|
||||
approvalPermissions: asApprovalPermissions(deleted.approvalPermissions),
|
||||
workingGroupId: asNullableString(deleted.workingGroupId),
|
||||
@@ -423,7 +441,7 @@ export async function POST(_: Request, { params }: Context) {
|
||||
|
||||
case "user.update": {
|
||||
const previous = asRecord(rollback.previous, "Nutzer");
|
||||
const role = asString(previous.role, "Rolle") as "ADMIN" | "FINANCE" | "MEMBER";
|
||||
const role = asRole(previous.role);
|
||||
|
||||
await tx.user.update({
|
||||
where: {
|
||||
|
||||
@@ -40,7 +40,7 @@ export async function PATCH(request: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canManageBudgets(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Budgets aendern." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Budgets aendern." }, { status: 403 });
|
||||
}
|
||||
|
||||
const budget = await prisma.budget.findUnique({
|
||||
@@ -115,7 +115,7 @@ export async function DELETE(_: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canManageBudgets(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Budgets loeschen." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Budgets loeschen." }, { status: 403 });
|
||||
}
|
||||
|
||||
const budget = await prisma.budget.findUnique({
|
||||
|
||||
@@ -34,7 +34,7 @@ export async function POST(request: Request) {
|
||||
}
|
||||
|
||||
if (!canManageBudgets(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Budgets verwalten." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Budgets verwalten." }, { status: 403 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
|
||||
@@ -27,7 +27,7 @@ export async function POST(request: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canDocumentExpense(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen dokumentieren." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein oder AG Finanzen duerfen dokumentieren." }, { status: 403 });
|
||||
}
|
||||
|
||||
const expense = await prisma.expense.findUnique({
|
||||
@@ -50,7 +50,7 @@ export async function POST(request: Request, { params }: Context) {
|
||||
const parsed = documentedSchema.safeParse(body);
|
||||
|
||||
if (!parsed.success) {
|
||||
return NextResponse.json({ error: "Beleg-URL ist ungueltig." }, { status: 400 });
|
||||
return NextResponse.json({ error: "Beleg-Link ist ungueltig." }, { status: 400 });
|
||||
}
|
||||
|
||||
const updatedExpense = await prisma.expense.update({
|
||||
|
||||
@@ -20,7 +20,7 @@ export async function POST(_: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canMarkPaid(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Bezahlt setzen." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein oder AG Finanzen duerfen Bezahlt setzen." }, { status: 403 });
|
||||
}
|
||||
|
||||
const expense = await prisma.expense.findUnique({
|
||||
|
||||
@@ -0,0 +1,67 @@
|
||||
import { NextResponse } from "next/server";
|
||||
|
||||
import { canDocumentExpense } from "@/lib/domain";
|
||||
import { uploadExpenseProofToDrive } from "@/lib/google-drive";
|
||||
import prisma from "@/lib/prisma";
|
||||
import { getCurrentViewer } from "@/lib/session";
|
||||
|
||||
const ACCEPTED_MIME_TYPES = new Set(["application/pdf", "image/jpeg", "image/png", "image/webp", "image/heic", "image/heif"]);
|
||||
const MAX_FILE_SIZE = 12 * 1024 * 1024;
|
||||
|
||||
type Context = {
|
||||
params: Promise<{
|
||||
id: string;
|
||||
}>;
|
||||
};
|
||||
|
||||
export async function POST(request: Request, { params }: Context) {
|
||||
const { id } = await params;
|
||||
const viewer = await getCurrentViewer();
|
||||
|
||||
if (!viewer) {
|
||||
return NextResponse.json({ error: "Nicht angemeldet." }, { status: 401 });
|
||||
}
|
||||
|
||||
const expense = await prisma.expense.findUnique({
|
||||
where: { id }
|
||||
});
|
||||
|
||||
if (!expense) {
|
||||
return NextResponse.json({ error: "Ausgabe nicht gefunden." }, { status: 404 });
|
||||
}
|
||||
|
||||
if (expense.creatorId !== viewer.id && !canDocumentExpense(viewer.role)) {
|
||||
return NextResponse.json({ error: "Du darfst fuer diese Ausgabe keinen Beleg hochladen." }, { status: 403 });
|
||||
}
|
||||
|
||||
const formData = await request.formData().catch(() => null);
|
||||
const file = formData?.get("file");
|
||||
|
||||
if (!(file instanceof File)) {
|
||||
return NextResponse.json({ error: "Bitte einen Beleg als Bild oder PDF auswaehlen." }, { status: 400 });
|
||||
}
|
||||
|
||||
if (!ACCEPTED_MIME_TYPES.has(file.type)) {
|
||||
return NextResponse.json({ error: "Nur Bilder und PDFs sind als Beleg erlaubt." }, { status: 400 });
|
||||
}
|
||||
|
||||
if (file.size > MAX_FILE_SIZE) {
|
||||
return NextResponse.json({ error: "Der Beleg darf maximal 12 MB gross sein." }, { status: 400 });
|
||||
}
|
||||
|
||||
const proofUrl = await uploadExpenseProofToDrive({
|
||||
title: expense.title,
|
||||
fileName: file.name,
|
||||
mimeType: file.type,
|
||||
buffer: Buffer.from(await file.arrayBuffer())
|
||||
});
|
||||
|
||||
const updatedExpense = await prisma.expense.update({
|
||||
where: { id: expense.id },
|
||||
data: {
|
||||
proofUrl
|
||||
}
|
||||
});
|
||||
|
||||
return NextResponse.json({ proofUrl, expense: updatedExpense });
|
||||
}
|
||||
@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
|
||||
|
||||
import { snapshotExpense } from "@/lib/audit-snapshots";
|
||||
import { createAuditLog } from "@/lib/audit-log";
|
||||
import { hasAdministrativeAccess } from "@/lib/domain";
|
||||
import prisma from "@/lib/prisma";
|
||||
import { getCurrentViewer } from "@/lib/session";
|
||||
|
||||
@@ -27,7 +28,7 @@ export async function DELETE(_: Request, { params }: Context) {
|
||||
return NextResponse.json({ error: "Ausgabe nicht gefunden." }, { status: 404 });
|
||||
}
|
||||
|
||||
const isAdminDelete = viewer.role === "ADMIN" || viewer.role === "FINANCE";
|
||||
const isAdminDelete = hasAdministrativeAccess(viewer.role);
|
||||
const isOwnPendingExpense =
|
||||
viewer.id === expense.creatorId &&
|
||||
expense.approvalStatus === "PENDING" &&
|
||||
|
||||
@@ -4,8 +4,9 @@ import { z } from "zod";
|
||||
import { getAppSettings, toApprovalThresholdNumber } from "@/lib/app-settings";
|
||||
import { snapshotExpense } from "@/lib/audit-snapshots";
|
||||
import { createAuditLog } from "@/lib/audit-log";
|
||||
import { canCreateExpenseForGroup, requiresManualApproval } from "@/lib/domain";
|
||||
import { APPROVAL_FLOW, canCreateExpenseForGroup, requiresManualApproval } from "@/lib/domain";
|
||||
import prisma from "@/lib/prisma";
|
||||
import { notifyApprovalRequest } from "@/lib/push-notifications";
|
||||
import { getCurrentViewer } from "@/lib/session";
|
||||
|
||||
function parseDateInput(value: string) {
|
||||
@@ -100,6 +101,7 @@ export async function POST(request: Request) {
|
||||
? parsed.data.recurrenceStartAt
|
||||
: null;
|
||||
|
||||
const needsManualApproval = requiresManualApproval(parsed.data.amount, approvalThreshold);
|
||||
const expense = await prisma.expense.create({
|
||||
data: {
|
||||
title: parsed.data.title,
|
||||
@@ -112,10 +114,21 @@ export async function POST(request: Request) {
|
||||
proofUrl: parsed.data.proofUrl,
|
||||
recurrence: parsed.data.recurrence,
|
||||
recurrenceStartAt,
|
||||
approvalStatus: requiresManualApproval(parsed.data.amount, approvalThreshold) ? "PENDING" : "APPROVED"
|
||||
approvalStatus: needsManualApproval ? "PENDING" : "APPROVED"
|
||||
}
|
||||
});
|
||||
|
||||
if (needsManualApproval) {
|
||||
await notifyApprovalRequest(
|
||||
{
|
||||
id: expense.id,
|
||||
title: expense.title,
|
||||
amount: Number(expense.amount)
|
||||
},
|
||||
[...APPROVAL_FLOW]
|
||||
);
|
||||
}
|
||||
|
||||
await createAuditLog(prisma, {
|
||||
actorId: viewer.id,
|
||||
action: "expense.create",
|
||||
|
||||
@@ -67,7 +67,7 @@ export async function GET() {
|
||||
}
|
||||
|
||||
if (!canManageUsers(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen CSV-Backups herunterladen." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen CSV-Backups herunterladen." }, { status: 403 });
|
||||
}
|
||||
|
||||
const [appSettings, users, accountingPeriods, workingGroups, auditLogs] = await Promise.all([
|
||||
|
||||
@@ -28,9 +28,24 @@ function toNumber(value: string | undefined) {
|
||||
return Number.isFinite(parsed) ? parsed : null;
|
||||
}
|
||||
|
||||
function toRole(value: string | undefined): "BOARD" | "ORGA" | "FINANCE" | "MEMBER" {
|
||||
switch (value) {
|
||||
case "ADMIN":
|
||||
case "BOARD":
|
||||
return "BOARD";
|
||||
case "ORGA":
|
||||
return "ORGA";
|
||||
case "FINANCE":
|
||||
return "FINANCE";
|
||||
case "MEMBER":
|
||||
default:
|
||||
return "MEMBER";
|
||||
}
|
||||
}
|
||||
|
||||
function toApprovalPermissions(
|
||||
value: string | undefined,
|
||||
role: "ADMIN" | "FINANCE" | "MEMBER",
|
||||
role: "BOARD" | "ORGA" | "FINANCE" | "MEMBER",
|
||||
approvalPreference: "CHAIR_A" | "CHAIR_B" | "FINANCE" | null
|
||||
) {
|
||||
const explicitPermissions = value
|
||||
@@ -51,7 +66,7 @@ export async function POST(request: Request) {
|
||||
}
|
||||
|
||||
if (!canManageUsers(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Backups einspielen." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Backups einspielen." }, { status: 403 });
|
||||
}
|
||||
|
||||
const formData = await request.formData().catch(() => null);
|
||||
@@ -145,7 +160,7 @@ export async function POST(request: Request) {
|
||||
}
|
||||
|
||||
for (const row of userRows) {
|
||||
const role = row.role as "ADMIN" | "FINANCE" | "MEMBER";
|
||||
const role = toRole(row.role);
|
||||
const approvalPreference = toNullable(row.approvalPreference) as "CHAIR_A" | "CHAIR_B" | "FINANCE" | null;
|
||||
const approvalPermissions = toApprovalPermissions(row.approvalPermissions, role, approvalPreference);
|
||||
|
||||
|
||||
@@ -28,7 +28,7 @@ export async function PATCH(request: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canManageBudgets(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zeiträume bearbeiten." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Zeiträume bearbeiten." }, { status: 403 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
@@ -110,7 +110,7 @@ export async function DELETE(_: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canManageBudgets(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zeiträume löschen." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Zeiträume löschen." }, { status: 403 });
|
||||
}
|
||||
|
||||
const period = await prisma.accountingPeriod.findUnique({
|
||||
|
||||
@@ -18,7 +18,7 @@ export async function PATCH(request: Request) {
|
||||
}
|
||||
|
||||
if (!canManageBudgets(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen den aktuellen Zeitraum wechseln." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen den aktuellen Zeitraum wechseln." }, { status: 403 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
|
||||
@@ -22,7 +22,7 @@ export async function POST(request: Request) {
|
||||
}
|
||||
|
||||
if (!canManageBudgets(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zeiträume verwalten." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Zeiträume verwalten." }, { status: 403 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
|
||||
@@ -0,0 +1,71 @@
|
||||
import { NextResponse } from "next/server";
|
||||
import { z } from "zod";
|
||||
|
||||
import prisma from "@/lib/prisma";
|
||||
import { getCurrentViewer } from "@/lib/session";
|
||||
|
||||
const subscriptionSchema = z.object({
|
||||
endpoint: z.string().url(),
|
||||
keys: z.object({
|
||||
p256dh: z.string().min(1),
|
||||
auth: z.string().min(1)
|
||||
})
|
||||
});
|
||||
|
||||
export async function POST(request: Request) {
|
||||
const viewer = await getCurrentViewer();
|
||||
|
||||
if (!viewer) {
|
||||
return NextResponse.json({ error: "Nicht angemeldet." }, { status: 401 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
const parsed = subscriptionSchema.safeParse(body);
|
||||
|
||||
if (!parsed.success) {
|
||||
return NextResponse.json({ error: "Push-Subscription ist ungueltig." }, { status: 400 });
|
||||
}
|
||||
|
||||
await prisma.pushSubscription.upsert({
|
||||
where: {
|
||||
endpoint: parsed.data.endpoint
|
||||
},
|
||||
update: {
|
||||
userId: viewer.id,
|
||||
p256dh: parsed.data.keys.p256dh,
|
||||
auth: parsed.data.keys.auth
|
||||
},
|
||||
create: {
|
||||
userId: viewer.id,
|
||||
endpoint: parsed.data.endpoint,
|
||||
p256dh: parsed.data.keys.p256dh,
|
||||
auth: parsed.data.keys.auth
|
||||
}
|
||||
});
|
||||
|
||||
return NextResponse.json({ ok: true });
|
||||
}
|
||||
|
||||
export async function DELETE(request: Request) {
|
||||
const viewer = await getCurrentViewer();
|
||||
|
||||
if (!viewer) {
|
||||
return NextResponse.json({ error: "Nicht angemeldet." }, { status: 401 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
const parsed = z.object({ endpoint: z.string().url() }).safeParse(body);
|
||||
|
||||
if (!parsed.success) {
|
||||
return NextResponse.json({ error: "Push-Subscription ist ungueltig." }, { status: 400 });
|
||||
}
|
||||
|
||||
await prisma.pushSubscription.deleteMany({
|
||||
where: {
|
||||
endpoint: parsed.data.endpoint,
|
||||
userId: viewer.id
|
||||
}
|
||||
});
|
||||
|
||||
return NextResponse.json({ ok: true });
|
||||
}
|
||||
@@ -20,7 +20,7 @@ export async function PATCH(request: Request) {
|
||||
}
|
||||
|
||||
if (!canManageUsers(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Einstellungen aendern." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Einstellungen aendern." }, { status: 403 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
|
||||
@@ -26,7 +26,7 @@ export async function POST(request: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canManageUsers(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Passwörter neu setzen." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Passwörter neu setzen." }, { status: 403 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
|
||||
@@ -3,29 +3,22 @@ import { z } from "zod";
|
||||
|
||||
import { snapshotUser } from "@/lib/audit-snapshots";
|
||||
import { createAuditLog } from "@/lib/audit-log";
|
||||
import {
|
||||
APPROVAL_FLOW,
|
||||
canManageUsers,
|
||||
getLegacyApprovalPreference,
|
||||
normalizeApprovalPermissions
|
||||
} from "@/lib/domain";
|
||||
import { canManageUsers, getLegacyApprovalPreference, normalizeApprovalPermissions } from "@/lib/domain";
|
||||
import prisma from "@/lib/prisma";
|
||||
import { getCurrentViewer } from "@/lib/session";
|
||||
|
||||
const userRoleSchema = z.enum(["ADMIN", "FINANCE", "MEMBER"]);
|
||||
const approvalPermissionSchema = z.enum(APPROVAL_FLOW);
|
||||
const userRoleSchema = z.enum(["BOARD", "ORGA", "FINANCE", "MEMBER"]);
|
||||
|
||||
const updateUserSchema = z.object({
|
||||
role: userRoleSchema,
|
||||
workingGroupId: z.union([z.string().trim().min(1), z.literal(""), z.null(), z.undefined()]),
|
||||
approvalPermissions: z.array(approvalPermissionSchema).default([])
|
||||
workingGroupId: z.union([z.string().trim().min(1), z.literal(""), z.null(), z.undefined()])
|
||||
});
|
||||
|
||||
function serializeManagedUser(user: {
|
||||
id: string;
|
||||
name: string;
|
||||
username: string;
|
||||
role: "ADMIN" | "FINANCE" | "MEMBER";
|
||||
role: "BOARD" | "ORGA" | "FINANCE" | "MEMBER";
|
||||
workingGroupId: string | null;
|
||||
workingGroup: { name: string } | null;
|
||||
approvalPreference: "CHAIR_A" | "CHAIR_B" | "FINANCE" | null;
|
||||
@@ -63,14 +56,14 @@ export async function PATCH(request: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canManageUsers(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Nutzer bearbeiten." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Nutzer bearbeiten." }, { status: 403 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
const parsed = updateUserSchema.safeParse(body);
|
||||
|
||||
if (!parsed.success) {
|
||||
return NextResponse.json({ error: "Bitte Rolle, AG und Freigaberollen korrekt angeben." }, { status: 400 });
|
||||
return NextResponse.json({ error: "Bitte Rolle und AG korrekt angeben." }, { status: 400 });
|
||||
}
|
||||
|
||||
const user = await prisma.user.findUnique({
|
||||
@@ -99,9 +92,9 @@ export async function PATCH(request: Request, { params }: Context) {
|
||||
}
|
||||
}
|
||||
|
||||
if (user.role === "ADMIN" && parsed.data.role !== "ADMIN") {
|
||||
if (user.role === "BOARD" && parsed.data.role !== "BOARD") {
|
||||
const adminCount = await prisma.user.count({
|
||||
where: { role: "ADMIN" }
|
||||
where: { role: "BOARD" }
|
||||
});
|
||||
|
||||
if (adminCount <= 1) {
|
||||
@@ -109,7 +102,7 @@ export async function PATCH(request: Request, { params }: Context) {
|
||||
}
|
||||
}
|
||||
|
||||
const approvalPermissions = normalizeApprovalPermissions(parsed.data.role, parsed.data.approvalPermissions, null);
|
||||
const approvalPermissions = normalizeApprovalPermissions(parsed.data.role, null, null);
|
||||
const approvalPreference = getLegacyApprovalPreference(approvalPermissions);
|
||||
const previousSnapshot = snapshotUser(user);
|
||||
|
||||
@@ -172,7 +165,7 @@ export async function DELETE(_: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canManageUsers(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Nutzer löschen." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen Nutzer löschen." }, { status: 403 });
|
||||
}
|
||||
|
||||
if (viewer.id === id) {
|
||||
@@ -202,13 +195,13 @@ export async function DELETE(_: Request, { params }: Context) {
|
||||
);
|
||||
}
|
||||
|
||||
if (user.role === "ADMIN") {
|
||||
if (user.role === "BOARD") {
|
||||
const adminCount = await prisma.user.count({
|
||||
where: { role: "ADMIN" }
|
||||
where: { role: "BOARD" }
|
||||
});
|
||||
|
||||
if (adminCount <= 1) {
|
||||
return NextResponse.json({ error: "Mindestens ein Admin muss erhalten bleiben." }, { status: 400 });
|
||||
return NextResponse.json({ error: "Mindestens ein Vorstandskonto muss erhalten bleiben." }, { status: 400 });
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -4,31 +4,24 @@ import { z } from "zod";
|
||||
|
||||
import { snapshotUser } from "@/lib/audit-snapshots";
|
||||
import { createAuditLog } from "@/lib/audit-log";
|
||||
import {
|
||||
APPROVAL_FLOW,
|
||||
canManageUsers,
|
||||
getLegacyApprovalPreference,
|
||||
normalizeApprovalPermissions
|
||||
} from "@/lib/domain";
|
||||
import { canManageUsers, getLegacyApprovalPreference, normalizeApprovalPermissions } from "@/lib/domain";
|
||||
import prisma from "@/lib/prisma";
|
||||
import { getCurrentViewer } from "@/lib/session";
|
||||
|
||||
const userRoleSchema = z.enum(["ADMIN", "FINANCE", "MEMBER"]);
|
||||
const approvalPermissionSchema = z.enum(APPROVAL_FLOW);
|
||||
const userRoleSchema = z.enum(["BOARD", "ORGA", "FINANCE", "MEMBER"]);
|
||||
|
||||
const createUserSchema = z.object({
|
||||
username: z.string().trim().min(2).max(40),
|
||||
password: z.string().min(8).max(128),
|
||||
role: userRoleSchema,
|
||||
workingGroupId: z.union([z.string().trim().min(1), z.literal(""), z.null(), z.undefined()]),
|
||||
approvalPermissions: z.array(approvalPermissionSchema).default([])
|
||||
workingGroupId: z.union([z.string().trim().min(1), z.literal(""), z.null(), z.undefined()])
|
||||
});
|
||||
|
||||
function serializeManagedUser(user: {
|
||||
id: string;
|
||||
name: string;
|
||||
username: string;
|
||||
role: "ADMIN" | "FINANCE" | "MEMBER";
|
||||
role: "BOARD" | "ORGA" | "FINANCE" | "MEMBER";
|
||||
workingGroupId: string | null;
|
||||
workingGroup: { name: string } | null;
|
||||
approvalPreference: "CHAIR_A" | "CHAIR_B" | "FINANCE" | null;
|
||||
@@ -59,7 +52,7 @@ export async function POST(request: Request) {
|
||||
}
|
||||
|
||||
if (!canManageUsers(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG duerfen Nutzer anlegen." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen duerfen Nutzer anlegen." }, { status: 403 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
@@ -75,7 +68,7 @@ export async function POST(request: Request) {
|
||||
: null;
|
||||
const approvalPermissions = normalizeApprovalPermissions(
|
||||
parsed.data.role,
|
||||
parsed.data.approvalPermissions,
|
||||
null,
|
||||
null
|
||||
);
|
||||
|
||||
|
||||
@@ -26,7 +26,7 @@ export async function PATCH(request: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canManageBudgets(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen AGs bearbeiten." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen AGs bearbeiten." }, { status: 403 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
@@ -97,7 +97,7 @@ export async function DELETE(_: Request, { params }: Context) {
|
||||
}
|
||||
|
||||
if (!canManageBudgets(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen AGs löschen." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen AGs löschen." }, { status: 403 });
|
||||
}
|
||||
|
||||
const workingGroup = await prisma.workingGroup.findUnique({
|
||||
|
||||
@@ -19,7 +19,7 @@ export async function POST(request: Request) {
|
||||
}
|
||||
|
||||
if (!canManageBudgets(viewer.role)) {
|
||||
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen AGs verwalten." }, { status: 403 });
|
||||
return NextResponse.json({ error: "Nur Vorstand allgemein, AG Orga oder AG Finanzen dürfen AGs verwalten." }, { status: 403 });
|
||||
}
|
||||
|
||||
const body = await request.json().catch(() => null);
|
||||
|
||||
Reference in New Issue
Block a user