Jan/RFP_Finanzen
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix period editing and harden app with Next.js security upgrade
CI / Build (push) Successful in 1m10s
Details
CI / Deploy (push) Successful in 1m11s
Details

Browse Source
This commit is contained in:
Jan Hanewinkel
2026-04-20 00:02:46 +02:00
parent 5a8b0871a0
commit f947908f0e
14 changed files with 2595 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/app/api/audit-logs/[id]/restore/route.ts
+20 -3
View File
@@ -6,9 +6,9 @@ import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
function asRecord(value: unknown, label: string) {
@@ -65,6 +65,7 @@ function asApprovalPermissions(value: unknown) {
}
export async function POST(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -77,7 +78,7 @@ export async function POST(_: Request, { params }: Context) {
const auditLog = await prisma.auditLog.findUnique({
where: {
id: params.id
id
}
});
@@ -297,6 +298,22 @@ export async function POST(_: Request, { params }: Context) {
break;
}
case "period.update": {
const previous = asRecord(rollback.previous, "Zeitraum");
await tx.accountingPeriod.update({
where: {
id: asString(previous.id, "Zeitraum-ID")
},
data: {
name: asString(previous.name, "Zeitraumname"),
startsAt: asDate(previous.startsAt, "Zeitraumstart") ?? new Date(),
endsAt: asDate(previous.endsAt, "Zeitraumende") ?? new Date()
}
});
break;
}
case "period.setCurrent": {
const previousCurrentPeriodId = asNullableString(rollback.previousCurrentPeriodId);
src/app/api/budgets/[id]/route.ts
+8 -6
View File
@@ -26,12 +26,13 @@ const updateBudgetSchema = z
});
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function PATCH(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -43,7 +44,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
const budget = await prisma.budget.findUnique({
where: { id: params.id }
where: { id }
});
if (!budget) {
@@ -61,7 +62,7 @@ export async function PATCH(request: Request, { params }: Context) {
const previousBudget = budget;
const nextReleasedAmount = parsed.data.releasedAmount ?? Number(previousBudget.releasedAmount);
const updatedBudget = await prisma.budget.update({
where: { id: params.id },
where: { id },
data: {
name: parsed.data.name,
totalBudget: parsed.data.totalBudget,
@@ -106,6 +107,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
export async function DELETE(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -117,7 +119,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
const budget = await prisma.budget.findUnique({
where: { id: params.id },
where: { id },
include: {
_count: {
select: {
@@ -139,7 +141,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
await prisma.budget.delete({
where: { id: params.id }
where: { id }
});
await createAuditLog(prisma, {
src/app/api/expenses/[id]/approve/route.ts
+4 -3
View File
@@ -18,12 +18,13 @@ const approvalSchema = z.object({
});
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function POST(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -32,7 +33,7 @@ export async function POST(request: Request, { params }: Context) {
const [expense, appSettings] = await Promise.all([
prisma.expense.findUnique({
where: { id: params.id },
where: { id },
include: {
approvals: true
}
src/app/api/expenses/[id]/documented/route.ts
+5 -4
View File
@@ -13,12 +13,13 @@ const documentedSchema = z.object({
});
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function POST(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -30,7 +31,7 @@ export async function POST(request: Request, { params }: Context) {
}
const expense = await prisma.expense.findUnique({
where: { id: params.id }
where: { id }
});
if (!expense) {
@@ -53,7 +54,7 @@ export async function POST(request: Request, { params }: Context) {
}
const updatedExpense = await prisma.expense.update({
where: { id: params.id },
where: { id },
data: {
proofUrl: parsed.data.proofUrl ?? expense.proofUrl,
documentedAt: expense.documentedAt ?? new Date()
src/app/api/expenses/[id]/paid/route.ts
+5 -4
View File
@@ -6,12 +6,13 @@ import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function POST(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -23,7 +24,7 @@ export async function POST(_: Request, { params }: Context) {
}
const expense = await prisma.expense.findUnique({
where: { id: params.id }
where: { id }
});
if (!expense) {
@@ -35,7 +36,7 @@ export async function POST(_: Request, { params }: Context) {
}
const updatedExpense = await prisma.expense.update({
where: { id: params.id },
where: { id },
data: {
paidAt: expense.paidAt ?? new Date()
}
src/app/api/expenses/[id]/route.ts
+5 -4
View File
@@ -6,12 +6,13 @@ import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function DELETE(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -19,7 +20,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
const expense = await prisma.expense.findUnique({
where: { id: params.id }
where: { id }
});
if (!expense) {
@@ -41,7 +42,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
await prisma.expense.delete({
where: { id: params.id }
where: { id }
});
await createAuditLog(prisma, {
src/app/api/periods/[id]/route.ts
+94 -4
View File
@@ -1,4 +1,5 @@
import { NextResponse } from "next/server";
import { z } from "zod";
import { snapshotPeriod } from "@/lib/audit-snapshots";
import { createAuditLog } from "@/lib/audit-log";
@@ -7,12 +8,101 @@ import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
const periodSchema = z.object({
name: z.string().trim().min(2).max(80),
startsAt: z.coerce.date(),
endsAt: z.coerce.date()
});
export async function PATCH(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
return NextResponse.json({ error: "Nicht angemeldet." }, { status: 401 });
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zeiträume bearbeiten." }, { status: 403 });
}
const body = await request.json().catch(() => null);
const parsed = periodSchema.safeParse(body);
if (!parsed.success) {
return NextResponse.json({ error: "Bitte Zeitraumname sowie Start- und Enddatum korrekt angeben." }, { status: 400 });
}
if (parsed.data.endsAt < parsed.data.startsAt) {
return NextResponse.json({ error: "Das Enddatum muss nach dem Startdatum liegen." }, { status: 400 });
}
const period = await prisma.accountingPeriod.findUnique({
where: { id }
});
if (!period) {
return NextResponse.json({ error: "Zeitraum nicht gefunden." }, { status: 404 });
}
const existingPeriod = await prisma.accountingPeriod.findFirst({
where: {
id: {
not: id
},
name: {
equals: parsed.data.name,
mode: "insensitive"
}
}
});
if (existingPeriod) {
return NextResponse.json({ error: "Diesen Zeitraumnamen gibt es bereits." }, { status: 409 });
}
const updatedPeriod = await prisma.accountingPeriod.update({
where: {
id
},
data: {
name: parsed.data.name,
startsAt: parsed.data.startsAt,
endsAt: parsed.data.endsAt
}
});
await createAuditLog(prisma, {
actorId: viewer.id,
action: "period.update",
entityType: "period",
entityId: updatedPeriod.id,
entityLabel: updatedPeriod.name,
summary:
period.name !== updatedPeriod.name
? `Zeitraum ${period.name} wurde auf ${updatedPeriod.name} aktualisiert.`
: `Zeitraum ${period.name} wurde aktualisiert.`,
metadata: {
startsAt: updatedPeriod.startsAt.toISOString(),
endsAt: updatedPeriod.endsAt.toISOString(),
rollback: {
kind: "period.update",
previous: snapshotPeriod(period),
next: snapshotPeriod(updatedPeriod)
}
}
});
return NextResponse.json({ period: updatedPeriod });
}
export async function DELETE(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -24,7 +114,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
const period = await prisma.accountingPeriod.findUnique({
where: { id: params.id },
where: { id },
include: {
_count: {
select: {
@@ -51,7 +141,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
await prisma.accountingPeriod.delete({
where: { id: params.id }
where: { id }
});
await createAuditLog(prisma, {
src/app/api/users/[id]/password/route.ts
+5 -4
View File
@@ -12,12 +12,13 @@ const passwordSchema = z.object({
});
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function POST(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -36,7 +37,7 @@ export async function POST(request: Request, { params }: Context) {
}
const user = await prisma.user.findUnique({
where: { id: params.id },
where: { id },
select: { id: true, username: true, passwordHash: true }
});
@@ -47,7 +48,7 @@ export async function POST(request: Request, { params }: Context) {
const passwordHash = await bcrypt.hash(parsed.data.password, 12);
await prisma.user.update({
where: { id: params.id },
where: { id },
data: {
passwordHash
}
src/app/api/users/[id]/route.ts
+9 -7
View File
@@ -49,12 +49,13 @@ function serializeManagedUser(user: {
}
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function PATCH(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -73,7 +74,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
const user = await prisma.user.findUnique({
where: { id: params.id }
where: { id }
});
if (!user) {
@@ -113,7 +114,7 @@ export async function PATCH(request: Request, { params }: Context) {
const previousSnapshot = snapshotUser(user);
const updatedUser = await prisma.user.update({
where: { id: params.id },
where: { id },
data: {
role: parsed.data.role,
workingGroupId,
@@ -163,6 +164,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
export async function DELETE(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -173,12 +175,12 @@ export async function DELETE(_: Request, { params }: Context) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Nutzer löschen." }, { status: 403 });
}
if (viewer.id === params.id) {
if (viewer.id === id) {
return NextResponse.json({ error: "Du kannst dein eigenes Konto hier nicht löschen." }, { status: 400 });
}
const user = await prisma.user.findUnique({
where: { id: params.id },
where: { id },
include: {
_count: {
select: {
@@ -211,7 +213,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
await prisma.user.delete({
where: { id: params.id }
where: { id }
});
await createAuditLog(prisma, {
src/app/api/working-groups/[id]/route.ts
+9 -7
View File
@@ -8,9 +8,9 @@ import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
const workingGroupSchema = z.object({
@@ -18,6 +18,7 @@ const workingGroupSchema = z.object({
});
export async function PATCH(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -36,7 +37,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
const workingGroup = await prisma.workingGroup.findUnique({
where: { id: params.id }
where: { id }
});
if (!workingGroup) {
@@ -46,7 +47,7 @@ export async function PATCH(request: Request, { params }: Context) {
const existingWorkingGroup = await prisma.workingGroup.findFirst({
where: {
id: {
not: params.id
not: id
},
name: {
equals: parsed.data.name,
@@ -61,7 +62,7 @@ export async function PATCH(request: Request, { params }: Context) {
const updatedWorkingGroup = await prisma.workingGroup.update({
where: {
id: params.id
id
},
data: {
name: parsed.data.name
@@ -88,6 +89,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
export async function DELETE(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -99,7 +101,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
const workingGroup = await prisma.workingGroup.findUnique({
where: { id: params.id },
where: { id },
include: {
_count: {
select: {
@@ -126,7 +128,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
await prisma.workingGroup.delete({
where: { id: params.id }
where: { id }
});
await createAuditLog(prisma, {