feat(ST-509): add archiveSelectedTodosAction with ownership validation

Validates all provided IDs belong to the session user before bulk-archiving. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 19:55:28 +02:00 · 2026-04-25 19:55:28 +02:00 · 6fa768aabe
commit 6fa768aabe
parent 5dd89739ce
1 changed files with 20 additions and 0 deletions
--- a/actions/todos.ts
+++ b/actions/todos.ts
@ -59,6 +59,26 @@ export async function archiveCompletedTodosAction() {
  return { success: true }
 }

+export async function archiveSelectedTodosAction(ids: string[]) {
+  const session = await getSession()
+  if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
+  if (!ids.length) return { error: 'Geen todos geselecteerd' }
+
+  const owned = await prisma.todo.findMany({
+    where: { id: { in: ids }, user_id: session.userId },
+    select: { id: true },
+  })
+  if (owned.length !== ids.length) return { error: 'Ongeldige selectie' }
+
+  await prisma.todo.updateMany({
+    where: { id: { in: ids }, user_id: session.userId },
+    data: { archived: true },
+  })
+  revalidatePath('/todos')
+  return { success: true }
+}
+
 const promotePbiSchema = z.object({
  todoId: z.string(),
  productId: z.string(),