Fix scoped access checks

2026-04-25 14:36:55 +02:00 · 2026-04-25 14:36:55 +02:00 · e0efb65efb
commit e0efb65efb
parent d90a8fd560
7 changed files with 84 additions and 19 deletions
--- a/actions/sprints.ts
+++ b/actions/sprints.ts
@ -12,6 +12,10 @@ async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
 }

+function hasDuplicateIds(ids: string[]) {
+  return new Set(ids).size !== ids.length
+}
+
 export async function createSprintAction(_prevState: unknown, formData: FormData) {
  const session = await getSession()
  if (!session.userId) return { error: 'Niet ingelogd' }
@ -79,6 +83,7 @@ export async function addStoryToSprintAction(sprintId: string, storyId: string)
    where: { id: storyId, product: productAccessFilter(session.userId) },
  })
  if (!story) return { error: 'Story niet gevonden' }
+  if (story.product_id !== sprint.product_id) return { error: 'Story hoort niet bij deze Sprint' }

  const last = await prisma.story.findFirst({
    where: { sprint_id: sprintId },
@ -120,12 +125,19 @@ export async function reorderSprintStoriesAction(sprintId: string, orderedIds: s
  const session = await getSession()
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
+  if (hasDuplicateIds(orderedIds)) return { error: 'Ongeldige Sprint Backlog-volgorde' }

  const sprint = await prisma.sprint.findFirst({
    where: { id: sprintId, product: productAccessFilter(session.userId) },
  })
  if (!sprint) return { error: 'Sprint niet gevonden' }

+  const stories = await prisma.story.findMany({
+    where: { id: { in: orderedIds }, sprint_id: sprintId, product_id: sprint.product_id },
+    select: { id: true },
+  })
+  if (stories.length !== orderedIds.length) return { error: 'Ongeldige Sprint Backlog-volgorde' }
+
  await prisma.$transaction(
    orderedIds.map((id, i) =>
      prisma.story.update({ where: { id }, data: { sort_order: i + 1.0 } })
@ -149,8 +161,22 @@ export async function completeSprintAction(
  })
  if (!sprint) return { error: 'Sprint niet gevonden' }

+  const entries = Object.entries(decisions)
+  if (entries.some(([, status]) => status !== 'DONE' && status !== 'OPEN')) {
+    return { error: 'Ongeldige Sprint-afronding' }
+  }
+
+  const storyIds = entries.map(([storyId]) => storyId)
+  if (hasDuplicateIds(storyIds)) return { error: 'Ongeldige Sprint-afronding' }
+
+  const stories = await prisma.story.findMany({
+    where: { id: { in: storyIds }, sprint_id: sprintId, product_id: sprint.product_id },
+    select: { id: true },
+  })
+  if (stories.length !== storyIds.length) return { error: 'Ongeldige Sprint-afronding' }
+
  await prisma.$transaction([
-    ...Object.entries(decisions).map(([storyId, status]) =>
+    ...entries.map(([storyId, status]) =>
      prisma.story.update({
        where: { id: storyId },
        data: {
--- a/actions/stories.ts
+++ b/actions/stories.ts
@ -19,6 +19,10 @@ async function verifyStoryAccess(storyId: string, userId: string) {
  })
 }

+function hasDuplicateIds(ids: string[]) {
+  return new Set(ids).size !== ids.length
+}
+
 const createStorySchema = z.object({
  pbiId: z.string(),
  productId: z.string(),
@ -61,7 +65,7 @@ export async function createStoryAction(_prevState: unknown, formData: FormData)
  const story = await prisma.story.create({
    data: {
      pbi_id: parsed.data.pbiId,
-      product_id: parsed.data.productId,
+      product_id: pbi.product_id,
      title: parsed.data.title,
      priority: parsed.data.priority,
      sort_order,
@ -69,7 +73,7 @@ export async function createStoryAction(_prevState: unknown, formData: FormData)
    },
  })

-  revalidatePath(`/products/${parsed.data.productId}`)
+  revalidatePath(`/products/${pbi.product_id}`)
  return { success: true, story }
 }

@ -122,10 +126,17 @@ export async function reorderPbisAction(productId: string, orderedIds: string[])
  const session = await getSession()
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
+  if (hasDuplicateIds(orderedIds)) return { error: 'Ongeldige PBI-volgorde' }

  const product = await getAccessibleProduct(productId, session.userId)
  if (!product) return { error: 'Product niet gevonden' }

+  const pbis = await prisma.pbi.findMany({
+    where: { id: { in: orderedIds }, product_id: productId },
+    select: { id: true },
+  })
+  if (pbis.length !== orderedIds.length) return { error: 'Ongeldige PBI-volgorde' }
+
  await prisma.$transaction(
    orderedIds.map((id, i) =>
      prisma.pbi.update({ where: { id }, data: { sort_order: i + 1.0 } })
@ -136,7 +147,7 @@ export async function reorderPbisAction(productId: string, orderedIds: string[])
  return { success: true }
 }

-export async function updatePbiPriorityAction(pbiId: string, priority: number, productId: string) {
+export async function updatePbiPriorityAction(pbiId: string, priority: number, _productId: string) {
  const session = await getSession()
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
@ -145,9 +156,10 @@ export async function updatePbiPriorityAction(pbiId: string, priority: number, p
    where: { id: pbiId, product: productAccessFilter(session.userId) },
  })
  if (!pbi) return { error: 'PBI niet gevonden' }
+  if (!Number.isInteger(priority) || priority < 1 || priority > 4) return { error: 'Ongeldige prioriteit' }

  const last = await prisma.pbi.findFirst({
-    where: { product_id: productId, priority },
+    where: { product_id: pbi.product_id, priority },
    orderBy: { sort_order: 'desc' },
  })

@ -156,7 +168,7 @@ export async function updatePbiPriorityAction(pbiId: string, priority: number, p
    data: { priority, sort_order: (last?.sort_order ?? 0) + 1.0 },
  })

-  revalidatePath(`/products/${productId}`)
+  revalidatePath(`/products/${pbi.product_id}`)
  return { success: true }
 }

@ -199,12 +211,22 @@ export async function reorderStoriesAction(
  const session = await getSession()
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
+  if (hasDuplicateIds(orderedIds)) return { error: 'Ongeldige story-volgorde' }
+  if (newPriority !== undefined && (!Number.isInteger(newPriority) || newPriority < 1 || newPriority > 4)) {
+    return { error: 'Ongeldige prioriteit' }
+  }

  const pbi = await prisma.pbi.findFirst({
    where: { id: pbiId, product: productAccessFilter(session.userId) },
  })
  if (!pbi) return { error: 'PBI niet gevonden' }

+  const stories = await prisma.story.findMany({
+    where: { id: { in: orderedIds }, pbi_id: pbiId, product_id: pbi.product_id },
+    select: { id: true },
+  })
+  if (stories.length !== orderedIds.length) return { error: 'Ongeldige story-volgorde' }
+
  await prisma.$transaction(
    orderedIds.map((id, i) =>
      prisma.story.update({
@ -217,6 +239,6 @@ export async function reorderStoriesAction(
    )
  )

-  revalidatePath(`/products/${productId}`)
+  revalidatePath(`/products/${pbi.product_id}`)
  return { success: true }
 }
--- a/actions/todos.ts
+++ b/actions/todos.ts
@ -6,6 +6,7 @@ import { getIronSession } from 'iron-session'
 import { z } from 'zod'
 import { prisma } from '@/lib/prisma'
 import { SessionData, sessionOptions } from '@/lib/session'
+import { productAccessFilter } from '@/lib/product-access'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
@ -81,6 +82,11 @@ export async function promoteTodoToPbiAction(_prevState: unknown, formData: Form
  })
  if (!product) return { error: 'Product niet gevonden' }

+  const todo = await prisma.todo.findFirst({
+    where: { id: parsed.data.todoId, user_id: session.userId, product_id: parsed.data.productId },
+  })
+  if (!todo) return { error: 'Todo niet gevonden' }
+
  const last = await prisma.pbi.findFirst({
    where: { product_id: parsed.data.productId, priority: parsed.data.priority },
    orderBy: { sort_order: 'desc' },
@ -95,7 +101,7 @@ export async function promoteTodoToPbiAction(_prevState: unknown, formData: Form
        sort_order: (last?.sort_order ?? 0) + 1.0,
      },
    }),
-    prisma.todo.delete({ where: { id: parsed.data.todoId } }),
+    prisma.todo.deleteMany({ where: { id: parsed.data.todoId, user_id: session.userId } }),
  ])

  revalidatePath('/todos')
@ -125,10 +131,16 @@ export async function promoteTodoToStoryAction(_prevState: unknown, formData: Fo
  })
  if (!parsed.success) return { error: parsed.error.flatten().fieldErrors }

+  const todo = await prisma.todo.findFirst({
+    where: { id: parsed.data.todoId, user_id: session.userId },
+  })
+  if (!todo) return { error: 'Todo niet gevonden' }
+
  const pbi = await prisma.pbi.findFirst({
-    where: { id: parsed.data.pbiId, product: { user_id: session.userId } },
+    where: { id: parsed.data.pbiId, product: productAccessFilter(session.userId) },
  })
  if (!pbi) return { error: 'PBI niet gevonden' }
+  if (todo.product_id !== pbi.product_id) return { error: 'Todo hoort niet bij dit product' }

  const last = await prisma.story.findFirst({
    where: { pbi_id: parsed.data.pbiId, priority: parsed.data.priority },
@ -139,18 +151,18 @@ export async function promoteTodoToStoryAction(_prevState: unknown, formData: Fo
    prisma.story.create({
      data: {
        pbi_id: parsed.data.pbiId,
-        product_id: parsed.data.productId,
+        product_id: pbi.product_id,
        title: parsed.data.title,
        priority: parsed.data.priority,
        sort_order: (last?.sort_order ?? 0) + 1.0,
        status: 'OPEN',
      },
    }),
-    prisma.todo.delete({ where: { id: parsed.data.todoId } }),
+    prisma.todo.deleteMany({ where: { id: parsed.data.todoId, user_id: session.userId } }),
  ])

  revalidatePath('/todos')
-  revalidatePath(`/products/${parsed.data.productId}`)
+  revalidatePath(`/products/${pbi.product_id}`)
  return { success: true }
 }