From 6fa768aabee4bb6ff0f221ba2a40770a396c6904 Mon Sep 17 00:00:00 2001
From: Madhura68 <janpetervisser2@gmail.com>
Date: Sat, 25 Apr 2026 19:55:28 +0200
Subject: [PATCH] feat(ST-509): add archiveSelectedTodosAction with ownership
 validation

Validates all provided IDs belong to the session user before bulk-archiving.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 actions/todos.ts | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/actions/todos.ts b/actions/todos.ts
index 1b717a8..92a0069 100644
--- a/actions/todos.ts
+++ b/actions/todos.ts
@@ -59,6 +59,26 @@ export async function archiveCompletedTodosAction() {
   return { success: true }
 }
 
+export async function archiveSelectedTodosAction(ids: string[]) {
+  const session = await getSession()
+  if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
+  if (!ids.length) return { error: 'Geen todos geselecteerd' }
+
+  const owned = await prisma.todo.findMany({
+    where: { id: { in: ids }, user_id: session.userId },
+    select: { id: true },
+  })
+  if (owned.length !== ids.length) return { error: 'Ongeldige selectie' }
+
+  await prisma.todo.updateMany({
+    where: { id: { in: ids }, user_id: session.userId },
+    data: { archived: true },
+  })
+  revalidatePath('/todos')
+  return { success: true }
+}
+
 const promotePbiSchema = z.object({
   todoId: z.string(),
   productId: z.string(),