Fix scoped access checks
This commit is contained in:
parent
d90a8fd560
commit
e0efb65efb
7 changed files with 84 additions and 19 deletions
|
|
@ -19,6 +19,10 @@ async function verifyStoryAccess(storyId: string, userId: string) {
|
|||
})
|
||||
}
|
||||
|
||||
function hasDuplicateIds(ids: string[]) {
|
||||
return new Set(ids).size !== ids.length
|
||||
}
|
||||
|
||||
const createStorySchema = z.object({
|
||||
pbiId: z.string(),
|
||||
productId: z.string(),
|
||||
|
|
@ -61,7 +65,7 @@ export async function createStoryAction(_prevState: unknown, formData: FormData)
|
|||
const story = await prisma.story.create({
|
||||
data: {
|
||||
pbi_id: parsed.data.pbiId,
|
||||
product_id: parsed.data.productId,
|
||||
product_id: pbi.product_id,
|
||||
title: parsed.data.title,
|
||||
priority: parsed.data.priority,
|
||||
sort_order,
|
||||
|
|
@ -69,7 +73,7 @@ export async function createStoryAction(_prevState: unknown, formData: FormData)
|
|||
},
|
||||
})
|
||||
|
||||
revalidatePath(`/products/${parsed.data.productId}`)
|
||||
revalidatePath(`/products/${pbi.product_id}`)
|
||||
return { success: true, story }
|
||||
}
|
||||
|
||||
|
|
@ -122,10 +126,17 @@ export async function reorderPbisAction(productId: string, orderedIds: string[])
|
|||
const session = await getSession()
|
||||
if (!session.userId) return { error: 'Niet ingelogd' }
|
||||
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
||||
if (hasDuplicateIds(orderedIds)) return { error: 'Ongeldige PBI-volgorde' }
|
||||
|
||||
const product = await getAccessibleProduct(productId, session.userId)
|
||||
if (!product) return { error: 'Product niet gevonden' }
|
||||
|
||||
const pbis = await prisma.pbi.findMany({
|
||||
where: { id: { in: orderedIds }, product_id: productId },
|
||||
select: { id: true },
|
||||
})
|
||||
if (pbis.length !== orderedIds.length) return { error: 'Ongeldige PBI-volgorde' }
|
||||
|
||||
await prisma.$transaction(
|
||||
orderedIds.map((id, i) =>
|
||||
prisma.pbi.update({ where: { id }, data: { sort_order: i + 1.0 } })
|
||||
|
|
@ -136,7 +147,7 @@ export async function reorderPbisAction(productId: string, orderedIds: string[])
|
|||
return { success: true }
|
||||
}
|
||||
|
||||
export async function updatePbiPriorityAction(pbiId: string, priority: number, productId: string) {
|
||||
export async function updatePbiPriorityAction(pbiId: string, priority: number, _productId: string) {
|
||||
const session = await getSession()
|
||||
if (!session.userId) return { error: 'Niet ingelogd' }
|
||||
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
||||
|
|
@ -145,9 +156,10 @@ export async function updatePbiPriorityAction(pbiId: string, priority: number, p
|
|||
where: { id: pbiId, product: productAccessFilter(session.userId) },
|
||||
})
|
||||
if (!pbi) return { error: 'PBI niet gevonden' }
|
||||
if (!Number.isInteger(priority) || priority < 1 || priority > 4) return { error: 'Ongeldige prioriteit' }
|
||||
|
||||
const last = await prisma.pbi.findFirst({
|
||||
where: { product_id: productId, priority },
|
||||
where: { product_id: pbi.product_id, priority },
|
||||
orderBy: { sort_order: 'desc' },
|
||||
})
|
||||
|
||||
|
|
@ -156,7 +168,7 @@ export async function updatePbiPriorityAction(pbiId: string, priority: number, p
|
|||
data: { priority, sort_order: (last?.sort_order ?? 0) + 1.0 },
|
||||
})
|
||||
|
||||
revalidatePath(`/products/${productId}`)
|
||||
revalidatePath(`/products/${pbi.product_id}`)
|
||||
return { success: true }
|
||||
}
|
||||
|
||||
|
|
@ -199,12 +211,22 @@ export async function reorderStoriesAction(
|
|||
const session = await getSession()
|
||||
if (!session.userId) return { error: 'Niet ingelogd' }
|
||||
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
||||
if (hasDuplicateIds(orderedIds)) return { error: 'Ongeldige story-volgorde' }
|
||||
if (newPriority !== undefined && (!Number.isInteger(newPriority) || newPriority < 1 || newPriority > 4)) {
|
||||
return { error: 'Ongeldige prioriteit' }
|
||||
}
|
||||
|
||||
const pbi = await prisma.pbi.findFirst({
|
||||
where: { id: pbiId, product: productAccessFilter(session.userId) },
|
||||
})
|
||||
if (!pbi) return { error: 'PBI niet gevonden' }
|
||||
|
||||
const stories = await prisma.story.findMany({
|
||||
where: { id: { in: orderedIds }, pbi_id: pbiId, product_id: pbi.product_id },
|
||||
select: { id: true },
|
||||
})
|
||||
if (stories.length !== orderedIds.length) return { error: 'Ongeldige story-volgorde' }
|
||||
|
||||
await prisma.$transaction(
|
||||
orderedIds.map((id, i) =>
|
||||
prisma.story.update({
|
||||
|
|
@ -217,6 +239,6 @@ export async function reorderStoriesAction(
|
|||
)
|
||||
)
|
||||
|
||||
revalidatePath(`/products/${productId}`)
|
||||
revalidatePath(`/products/${pbi.product_id}`)
|
||||
return { success: true }
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue