fix(demo): close 3 demo-policy gaps in mutation actions (before-launch)

Audit van alle Server Actions revealed drie mutation-paden zonder isDemo-check, terwijl de demo-policy zegt "demo-user is read-only": - toggleTodoAction: demo kon eigen todos done/undone toggelen - archiveCompletedTodosAction: demo kon todos archiveren (bulk) - leaveProductAction: demo kon productMembership verlaten Fix: standaard `if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }` toegevoegd, conform de andere mutation-actions. Andere claim/unclaim/reassign/updateTaskPlan-actions zijn al gedekt via requireProductWriter() → requireWriter() → demo-throw — nu code-side geverifieerd voor de hele actions/-tree. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 14:14:01 +02:00 · 2026-05-04 14:14:01 +02:00 · 95eff4087c
commit 95eff4087c
parent 7529fd54bc
2 changed files with 3 additions and 0 deletions
--- a/actions/products.ts
+++ b/actions/products.ts
@ -366,6 +366,7 @@ export async function removeProductMemberAction(productId: string, memberId: str
 export async function leaveProductAction(productId: string) {
  const session = await getSession()
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
  await prisma.$transaction([
    prisma.user.updateMany({
--- a/actions/todos.ts
+++ b/actions/todos.ts
@ -47,6 +47,7 @@ export async function createTodoAction(_prevState: unknown, formData: FormData)
 export async function toggleTodoAction(id: string, done: boolean) {
  const session = await getSession()
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
  const todo = await prisma.todo.findFirst({ where: { id, user_id: session.userId } })
  if (!todo) return { error: 'Todo niet gevonden' }
@ -59,6 +60,7 @@ export async function toggleTodoAction(id: string, done: boolean) {
 export async function archiveCompletedTodosAction() {
  const session = await getSession()
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
  await prisma.todo.updateMany({
    where: { user_id: session.userId, done: true, archived: false },