From 95eff4087c61d3e973b236b6dbea142faea22aac Mon Sep 17 00:00:00 2001
From: Madhura68 <janpetervisser2@gmail.com>
Date: Mon, 4 May 2026 14:14:01 +0200
Subject: [PATCH] fix(demo): close 3 demo-policy gaps in mutation actions
 (before-launch)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Audit van alle Server Actions revealed drie mutation-paden zonder
isDemo-check, terwijl de demo-policy zegt "demo-user is read-only":

- toggleTodoAction: demo kon eigen todos done/undone toggelen
- archiveCompletedTodosAction: demo kon todos archiveren (bulk)
- leaveProductAction: demo kon productMembership verlaten

Fix: standaard `if (session.isDemo) return { error: 'Niet beschikbaar in
demo-modus' }` toegevoegd, conform de andere mutation-actions.

Andere claim/unclaim/reassign/updateTaskPlan-actions zijn al gedekt via
requireProductWriter() → requireWriter() → demo-throw — nu code-side
geverifieerd voor de hele actions/-tree.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 actions/products.ts | 1 +
 actions/todos.ts    | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/actions/products.ts b/actions/products.ts
index f238058..9a0856b 100644
--- a/actions/products.ts
+++ b/actions/products.ts
@@ -366,6 +366,7 @@ export async function removeProductMemberAction(productId: string, memberId: str
 export async function leaveProductAction(productId: string) {
   const session = await getSession()
   if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
 
   await prisma.$transaction([
     prisma.user.updateMany({
diff --git a/actions/todos.ts b/actions/todos.ts
index 3c68da9..7720eb4 100644
--- a/actions/todos.ts
+++ b/actions/todos.ts
@@ -47,6 +47,7 @@ export async function createTodoAction(_prevState: unknown, formData: FormData)
 export async function toggleTodoAction(id: string, done: boolean) {
   const session = await getSession()
   if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
 
   const todo = await prisma.todo.findFirst({ where: { id, user_id: session.userId } })
   if (!todo) return { error: 'Todo niet gevonden' }
@@ -59,6 +60,7 @@ export async function toggleTodoAction(id: string, done: boolean) {
 export async function archiveCompletedTodosAction() {
   const session = await getSession()
   if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
 
   await prisma.todo.updateMany({
     where: { user_id: session.userId, done: true, archived: false },