janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix scoped access checks

Browse source
This commit is contained in:
Janpeter Visser 2026-04-25 14:36:55 +02:00
parent d90a8fd560
commit e0efb65efb
7 changed files with 84 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

22
actions/todos.ts
View file

@ -6,6 +6,7 @@ import { getIronSession } from 'iron-session'
import { z } from 'zod'
import { prisma } from '@/lib/prisma'
import { SessionData, sessionOptions } from '@/lib/session'
import { productAccessFilter } from '@/lib/product-access'
async function getSession() {
return getIronSession<SessionData>(await cookies(), sessionOptions)
@ -81,6 +82,11 @@ export async function promoteTodoToPbiAction(_prevState: unknown, formData: Form
})
if (!product) return { error: 'Product niet gevonden' }
const todo = await prisma.todo.findFirst({
where: { id: parsed.data.todoId, user_id: session.userId, product_id: parsed.data.productId },
})
if (!todo) return { error: 'Todo niet gevonden' }
const last = await prisma.pbi.findFirst({
where: { product_id: parsed.data.productId, priority: parsed.data.priority },
orderBy: { sort_order: 'desc' },
@ -95,7 +101,7 @@ export async function promoteTodoToPbiAction(_prevState: unknown, formData: Form
sort_order: (last?.sort_order ?? 0) + 1.0,
},
}),
prisma.todo.delete({ where: { id: parsed.data.todoId } }),
prisma.todo.deleteMany({ where: { id: parsed.data.todoId, user_id: session.userId } }),
])
revalidatePath('/todos')
@ -125,10 +131,16 @@ export async function promoteTodoToStoryAction(_prevState: unknown, formData: Fo
})
if (!parsed.success) return { error: parsed.error.flatten().fieldErrors }
const todo = await prisma.todo.findFirst({
where: { id: parsed.data.todoId, user_id: session.userId },
})
if (!todo) return { error: 'Todo niet gevonden' }
const pbi = await prisma.pbi.findFirst({
where: { id: parsed.data.pbiId, product: { user_id: session.userId } },
where: { id: parsed.data.pbiId, product: productAccessFilter(session.userId) },
})
if (!pbi) return { error: 'PBI niet gevonden' }
if (todo.product_id !== pbi.product_id) return { error: 'Todo hoort niet bij dit product' }
const last = await prisma.story.findFirst({
where: { pbi_id: parsed.data.pbiId, priority: parsed.data.priority },
@ -139,18 +151,18 @@ export async function promoteTodoToStoryAction(_prevState: unknown, formData: Fo
prisma.story.create({
data: {
pbi_id: parsed.data.pbiId,
product_id: parsed.data.productId,
product_id: pbi.product_id,
title: parsed.data.title,
priority: parsed.data.priority,
sort_order: (last?.sort_order ?? 0) + 1.0,
status: 'OPEN',
},
}),
prisma.todo.delete({ where: { id: parsed.data.todoId } }),
prisma.todo.deleteMany({ where: { id: parsed.data.todoId, user_id: session.userId } }),
])
revalidatePath('/todos')
revalidatePath(`/products/${parsed.data.productId}`)
revalidatePath(`/products/${pbi.product_id}`)
return { success: true }
}