Jan/RFP_Finanzen
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix period editing and harden app with Next.js security upgrade
All checks were successful
CI / Build (push) Successful in 1m10s
Details
CI / Deploy (push) Successful in 1m11s
Details

Browse Source
This commit is contained in:
Jan Hanewinkel
2026-04-20 00:02:46 +02:00
parent 5a8b0871a0
commit f947908f0e
14 changed files with 2595 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
next-env.d.ts vendored
View File

@@ -1,5 +1,6 @@
/// <reference types="next" />
/// <reference types="next/image-types/global" />
/// <reference path="./.next/types/routes.d.ts" />
// This file is auto-generated by Next.js.
// NOTE: This file should not be edited
// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

2324
package-lock.json generated Normal file
View File

File diff suppressed because it is too large Load Diff

2
package.json
View File

@@ -20,7 +20,7 @@
"@mui/material": "^6.1.3",
"@prisma/client": "^5.20.0",
"bcryptjs": "^2.4.3",
"next": "^14.2.14",
"next": "^15.5.15",
"next-auth": "^4.24.8",
"react": "^18.3.1",
"react-dom": "^18.3.1",

23
src/app/api/audit-logs/[id]/restore/route.ts
View File

@@ -6,9 +6,9 @@ import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
function asRecord(value: unknown, label: string) {
@@ -65,6 +65,7 @@ function asApprovalPermissions(value: unknown) {
}
export async function POST(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -77,7 +78,7 @@ export async function POST(_: Request, { params }: Context) {
const auditLog = await prisma.auditLog.findUnique({
where: {
id: params.id
id
}
});
@@ -297,6 +298,22 @@ export async function POST(_: Request, { params }: Context) {
break;
}
case "period.update": {
const previous = asRecord(rollback.previous, "Zeitraum");
await tx.accountingPeriod.update({
where: {
id: asString(previous.id, "Zeitraum-ID")
},
data: {
name: asString(previous.name, "Zeitraumname"),
startsAt: asDate(previous.startsAt, "Zeitraumstart") ?? new Date(),
endsAt: asDate(previous.endsAt, "Zeitraumende") ?? new Date()
}
});
break;
}
case "period.setCurrent": {
const previousCurrentPeriodId = asNullableString(rollback.previousCurrentPeriodId);

14
src/app/api/budgets/[id]/route.ts
View File

@@ -26,12 +26,13 @@ const updateBudgetSchema = z
});
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function PATCH(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -43,7 +44,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
const budget = await prisma.budget.findUnique({
where: { id: params.id }
where: { id }
});
if (!budget) {
@@ -61,7 +62,7 @@ export async function PATCH(request: Request, { params }: Context) {
const previousBudget = budget;
const nextReleasedAmount = parsed.data.releasedAmount ?? Number(previousBudget.releasedAmount);
const updatedBudget = await prisma.budget.update({
where: { id: params.id },
where: { id },
data: {
name: parsed.data.name,
totalBudget: parsed.data.totalBudget,
@@ -106,6 +107,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
export async function DELETE(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -117,7 +119,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
const budget = await prisma.budget.findUnique({
where: { id: params.id },
where: { id },
include: {
_count: {
select: {
@@ -139,7 +141,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
await prisma.budget.delete({
where: { id: params.id }
where: { id }
});
await createAuditLog(prisma, {

7
src/app/api/expenses/[id]/approve/route.ts
View File

@@ -18,12 +18,13 @@ const approvalSchema = z.object({
});
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function POST(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -32,7 +33,7 @@ export async function POST(request: Request, { params }: Context) {
const [expense, appSettings] = await Promise.all([
prisma.expense.findUnique({
where: { id: params.id },
where: { id },
include: {
approvals: true
}

9
src/app/api/expenses/[id]/documented/route.ts
View File

@@ -13,12 +13,13 @@ const documentedSchema = z.object({
});
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function POST(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -30,7 +31,7 @@ export async function POST(request: Request, { params }: Context) {
}
const expense = await prisma.expense.findUnique({
where: { id: params.id }
where: { id }
});
if (!expense) {
@@ -53,7 +54,7 @@ export async function POST(request: Request, { params }: Context) {
}
const updatedExpense = await prisma.expense.update({
where: { id: params.id },
where: { id },
data: {
proofUrl: parsed.data.proofUrl ?? expense.proofUrl,
documentedAt: expense.documentedAt ?? new Date()

9
src/app/api/expenses/[id]/paid/route.ts
View File

@@ -6,12 +6,13 @@ import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function POST(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -23,7 +24,7 @@ export async function POST(_: Request, { params }: Context) {
}
const expense = await prisma.expense.findUnique({
where: { id: params.id }
where: { id }
});
if (!expense) {
@@ -35,7 +36,7 @@ export async function POST(_: Request, { params }: Context) {
}
const updatedExpense = await prisma.expense.update({
where: { id: params.id },
where: { id },
data: {
paidAt: expense.paidAt ?? new Date()
}

9
src/app/api/expenses/[id]/route.ts
View File

@@ -6,12 +6,13 @@ import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function DELETE(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -19,7 +20,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
const expense = await prisma.expense.findUnique({
where: { id: params.id }
where: { id }
});
if (!expense) {
@@ -41,7 +42,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
await prisma.expense.delete({
where: { id: params.id }
where: { id }
});
await createAuditLog(prisma, {

98
src/app/api/periods/[id]/route.ts
View File

@@ -1,4 +1,5 @@
import { NextResponse } from "next/server";
import { z } from "zod";
import { snapshotPeriod } from "@/lib/audit-snapshots";
import { createAuditLog } from "@/lib/audit-log";
@@ -7,12 +8,101 @@ import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
const periodSchema = z.object({
name: z.string().trim().min(2).max(80),
startsAt: z.coerce.date(),
endsAt: z.coerce.date()
});
export async function PATCH(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
return NextResponse.json({ error: "Nicht angemeldet." }, { status: 401 });
}
if (!canManageBudgets(viewer.role)) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zeiträume bearbeiten." }, { status: 403 });
}
const body = await request.json().catch(() => null);
const parsed = periodSchema.safeParse(body);
if (!parsed.success) {
return NextResponse.json({ error: "Bitte Zeitraumname sowie Start- und Enddatum korrekt angeben." }, { status: 400 });
}
if (parsed.data.endsAt < parsed.data.startsAt) {
return NextResponse.json({ error: "Das Enddatum muss nach dem Startdatum liegen." }, { status: 400 });
}
const period = await prisma.accountingPeriod.findUnique({
where: { id }
});
if (!period) {
return NextResponse.json({ error: "Zeitraum nicht gefunden." }, { status: 404 });
}
const existingPeriod = await prisma.accountingPeriod.findFirst({
where: {
id: {
not: id
},
name: {
equals: parsed.data.name,
mode: "insensitive"
}
}
});
if (existingPeriod) {
return NextResponse.json({ error: "Diesen Zeitraumnamen gibt es bereits." }, { status: 409 });
}
const updatedPeriod = await prisma.accountingPeriod.update({
where: {
id
},
data: {
name: parsed.data.name,
startsAt: parsed.data.startsAt,
endsAt: parsed.data.endsAt
}
});
await createAuditLog(prisma, {
actorId: viewer.id,
action: "period.update",
entityType: "period",
entityId: updatedPeriod.id,
entityLabel: updatedPeriod.name,
summary:
period.name !== updatedPeriod.name
? `Zeitraum ${period.name} wurde auf ${updatedPeriod.name} aktualisiert.`
: `Zeitraum ${period.name} wurde aktualisiert.`,
metadata: {
startsAt: updatedPeriod.startsAt.toISOString(),
endsAt: updatedPeriod.endsAt.toISOString(),
rollback: {
kind: "period.update",
previous: snapshotPeriod(period),
next: snapshotPeriod(updatedPeriod)
}
}
});
return NextResponse.json({ period: updatedPeriod });
}
export async function DELETE(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -24,7 +114,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
const period = await prisma.accountingPeriod.findUnique({
where: { id: params.id },
where: { id },
include: {
_count: {
select: {
@@ -51,7 +141,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
await prisma.accountingPeriod.delete({
where: { id: params.id }
where: { id }
});
await createAuditLog(prisma, {

9
src/app/api/users/[id]/password/route.ts
View File

@@ -12,12 +12,13 @@ const passwordSchema = z.object({
});
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function POST(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -36,7 +37,7 @@ export async function POST(request: Request, { params }: Context) {
}
const user = await prisma.user.findUnique({
where: { id: params.id },
where: { id },
select: { id: true, username: true, passwordHash: true }
});
@@ -47,7 +48,7 @@ export async function POST(request: Request, { params }: Context) {
const passwordHash = await bcrypt.hash(parsed.data.password, 12);
await prisma.user.update({
where: { id: params.id },
where: { id },
data: {
passwordHash
}

16
src/app/api/users/[id]/route.ts
View File

@@ -49,12 +49,13 @@ function serializeManagedUser(user: {
}
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
export async function PATCH(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -73,7 +74,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
const user = await prisma.user.findUnique({
where: { id: params.id }
where: { id }
});
if (!user) {
@@ -113,7 +114,7 @@ export async function PATCH(request: Request, { params }: Context) {
const previousSnapshot = snapshotUser(user);
const updatedUser = await prisma.user.update({
where: { id: params.id },
where: { id },
data: {
role: parsed.data.role,
workingGroupId,
@@ -163,6 +164,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
export async function DELETE(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -173,12 +175,12 @@ export async function DELETE(_: Request, { params }: Context) {
return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Nutzer löschen." }, { status: 403 });
}
if (viewer.id === params.id) {
if (viewer.id === id) {
return NextResponse.json({ error: "Du kannst dein eigenes Konto hier nicht löschen." }, { status: 400 });
}
const user = await prisma.user.findUnique({
where: { id: params.id },
where: { id },
include: {
_count: {
select: {
@@ -211,7 +213,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
await prisma.user.delete({
where: { id: params.id }
where: { id }
});
await createAuditLog(prisma, {

16
src/app/api/working-groups/[id]/route.ts
View File

@@ -8,9 +8,9 @@ import prisma from "@/lib/prisma";
import { getCurrentViewer } from "@/lib/session";
type Context = {
params: {
params: Promise<{
id: string;
};
}>;
};
const workingGroupSchema = z.object({
@@ -18,6 +18,7 @@ const workingGroupSchema = z.object({
});
export async function PATCH(request: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -36,7 +37,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
const workingGroup = await prisma.workingGroup.findUnique({
where: { id: params.id }
where: { id }
});
if (!workingGroup) {
@@ -46,7 +47,7 @@ export async function PATCH(request: Request, { params }: Context) {
const existingWorkingGroup = await prisma.workingGroup.findFirst({
where: {
id: {
not: params.id
not: id
},
name: {
equals: parsed.data.name,
@@ -61,7 +62,7 @@ export async function PATCH(request: Request, { params }: Context) {
const updatedWorkingGroup = await prisma.workingGroup.update({
where: {
id: params.id
id
},
data: {
name: parsed.data.name
@@ -88,6 +89,7 @@ export async function PATCH(request: Request, { params }: Context) {
}
export async function DELETE(_: Request, { params }: Context) {
const { id } = await params;
const viewer = await getCurrentViewer();
if (!viewer) {
@@ -99,7 +101,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
const workingGroup = await prisma.workingGroup.findUnique({
where: { id: params.id },
where: { id },
include: {
_count: {
select: {
@@ -126,7 +128,7 @@ export async function DELETE(_: Request, { params }: Context) {
}
await prisma.workingGroup.delete({
where: { id: params.id }
where: { id }
});
await createAuditLog(prisma, {

105
src/components/dashboard/dashboard-shell.tsx
View File

@@ -110,6 +110,12 @@ type PeriodFormState = {
copyBudgetsFromPeriodId: string;
};
type PeriodEditFormState = {
name: string;
startsAt: string;
endsAt: string;
};
type DashboardMessage = {
type: "success" | "error";
text: string;
@@ -191,6 +197,22 @@ function getSuggestedPeriodDraft(currentPeriod: DashboardAccountingPeriod | unde
};
}
function getPeriodEditDraft(period: DashboardAccountingPeriod | null | undefined): PeriodEditFormState {
if (!period) {
return {
name: "",
startsAt: "",
endsAt: ""
};
}
return {
name: period.name,
startsAt: toDateInputValue(period.startsAt),
endsAt: toDateInputValue(period.endsAt)
};
}
function generatePassword(length = 14) {
const alphabet = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789!@$%";
const cryptoSource = globalThis.crypto;
@@ -297,6 +319,7 @@ export function DashboardShell({
const [userDrafts, setUserDrafts] = useState<Record<string, ManagedUserDraft>>({});
const [approvalThresholdDraft, setApprovalThresholdDraft] = useState(approvalThreshold.toFixed(2));
const [periodForm, setPeriodForm] = useState<PeriodFormState>(getSuggestedPeriodDraft(currentPeriod));
const [periodEditForm, setPeriodEditForm] = useState<PeriodEditFormState>(getPeriodEditDraft(currentPeriod));
useEffect(() => {
if (visibleGroups.length === 0) {
setSelectedMobileGroupId("");
@@ -314,6 +337,11 @@ export function DashboardShell({
setPeriodForm(getSuggestedPeriodDraft(currentPeriod));
}, [currentPeriod, currentPeriodId]);
useEffect(() => {
const selectedPeriod = accountingPeriods.find((period) => period.id === selectedCurrentPeriodId) ?? currentPeriod ?? null;
setPeriodEditForm(getPeriodEditDraft(selectedPeriod));
}, [accountingPeriods, currentPeriod, selectedCurrentPeriodId]);
useEffect(() => {
if (!desktopSections.some((section) => section.value === desktopSection)) {
setDesktopSection("overview");
@@ -468,6 +496,11 @@ export function DashboardShell({
) ?? 0;
const selectedPeriodForManagement =
accountingPeriods.find((period) => period.id === selectedCurrentPeriodId) ?? currentPeriod ?? null;
const periodEditDirty =
selectedPeriodForManagement !== null &&
(periodEditForm.name.trim() !== selectedPeriodForManagement.name ||
periodEditForm.startsAt !== toDateInputValue(selectedPeriodForManagement.startsAt) ||
periodEditForm.endsAt !== toDateInputValue(selectedPeriodForManagement.endsAt));
function getManagedUserDraft(user: DashboardManagedUser): ManagedUserDraft {
return userDrafts[user.id] ?? {
@@ -810,6 +843,27 @@ export function DashboardShell({
}, "Neuer Abrechnungszeitraum wurde angelegt.");
}
async function handleSavePeriod(event: FormEvent<HTMLFormElement>) {
event.preventDefault();
if (!selectedPeriodForManagement) {
setMessage({ type: "error", text: "Bitte zuerst einen Zeitraum auswählen." });
return;
}
await runAction(async () => {
await parseResponse(
await fetch(`/api/periods/${selectedPeriodForManagement.id}`, {
method: "PATCH",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify(periodEditForm)
})
);
}, `Zeitraum ${periodEditForm.name.trim() || selectedPeriodForManagement.name} wurde aktualisiert.`);
}
async function handleDeletePeriod(periodId: string, periodName: string) {
await runAction(async () => {
await parseResponse(
@@ -1222,6 +1276,55 @@ export function DashboardShell({
: "Leere, nicht aktive Zeiträume lassen sich hier wieder entfernen."}
</Typography>
<Box component="form" onSubmit={handleSavePeriod} sx={nestedPanelSx}>
<Stack spacing={1.4}>
<Typography variant="subtitle1" sx={{ fontWeight: 700 }}>
Ausgewählten Zeitraum bearbeiten
</Typography>
<TextField
label="Zeitraum-Name"
value={periodEditForm.name}
onChange={(event) => setPeriodEditForm((current) => ({ ...current, name: event.target.value }))}
required
fullWidth
disabled={!selectedPeriodForManagement}
/>
<Stack direction={{ xs: "column", sm: "row" }} gap={1.2}>
<TextField
label="Von"
type="date"
value={periodEditForm.startsAt}
onChange={(event) => setPeriodEditForm((current) => ({ ...current, startsAt: event.target.value }))}
InputLabelProps={{ shrink: true }}
required
fullWidth
disabled={!selectedPeriodForManagement}
/>
<TextField
label="Bis"
type="date"
value={periodEditForm.endsAt}
onChange={(event) => setPeriodEditForm((current) => ({ ...current, endsAt: event.target.value }))}
InputLabelProps={{ shrink: true }}
required
fullWidth
disabled={!selectedPeriodForManagement}
/>
</Stack>
<Typography variant="body2" color="text.secondary">
{"Abo-Berechnungen nutzen danach direkt den neuen Zeitraum."}
</Typography>
<Button
type="submit"
variant="outlined"
startIcon={<EditRoundedIcon />}
disabled={busy || !selectedPeriodForManagement || !periodEditDirty}
>
Zeitraum speichern
</Button>
</Stack>
</Box>
<Box component="form" onSubmit={handleCreatePeriod} sx={nestedPanelSx}>
<Stack spacing={1.4}>
<Typography variant="subtitle1" sx={{ fontWeight: 700 }}>
@@ -2412,5 +2515,3 @@ export function DashboardShell({
</Box>
);
}