fix: admin-navigatie zichtbaar voor ADMIN-rol gebruikers

- requireAdmin() checkt nu de database i.p.v. session.isAdmin (was altijd undefined) - loginAction stelt session.isAdmin in op basis van UserRole in de DB - registerAction stelt session.isAdmin = false expliciet in - NavBar toont 'Admin'-link conditioneel als roles.includes('ADMIN') - UserMenu ROLE_LABELS uitgebreid met ADMIN → 'Admin' - Tests aangepast: prismaUserRole.findFirst mock toegevoegd Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-05 20:26:54 +02:00 · 2026-05-05 20:26:54 +02:00 · fbf58d4e44
commit fbf58d4e44
parent c3f10cccce
6 changed files with 26 additions and 2 deletions
--- a/tests/actions/auth.test.ts
+++ b/tests/actions/auth.test.ts
@ -7,6 +7,7 @@ const {
  sessionSaveMock,
  requireSessionMock,
  prismaUserUpdateMock,
+  prismaUserRoleFindFirstMock,
 } = vi.hoisted(() => ({
  redirectMock: vi.fn((path: string) => { throw new Error(`REDIRECT:${path}`) }),
  verifyUserMock: vi.fn(),
@ -14,6 +15,7 @@ const {
  sessionSaveMock: vi.fn(),
  requireSessionMock: vi.fn(),
  prismaUserUpdateMock: vi.fn(),
+  prismaUserRoleFindFirstMock: vi.fn().mockResolvedValue(null),
 }))

 vi.mock('next/navigation', () => ({ redirect: redirectMock }))
@ -36,7 +38,10 @@ vi.mock('@/lib/auth', () => ({
 }))
 vi.mock('@/lib/auth-guard', () => ({ requireSession: requireSessionMock }))
 vi.mock('@/lib/prisma', () => ({
-  prisma: { user: { update: prismaUserUpdateMock } },
+  prisma: {
+    user: { update: prismaUserUpdateMock },
+    userRole: { findFirst: prismaUserRoleFindFirstMock },
+  },
 }))
 vi.mock('@/lib/rate-limit', () => ({ checkRateLimit: vi.fn().mockReturnValue(true) }))

@ -60,6 +65,7 @@ beforeEach(() => {
  sessionSaveMock.mockReset()
  requireSessionMock.mockReset()
  prismaUserUpdateMock.mockReset()
+  prismaUserRoleFindFirstMock.mockResolvedValue(null)
 })

 describe('loginAction UA-redirect', () => {
--- a/tests/lib/auth-guard.test.ts
+++ b/tests/lib/auth-guard.test.ts
@ -3,10 +3,14 @@ import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
 const getSessionMock = vi.fn()
 const isPairedSessionExpiredMock = vi.fn()
 const redirectMock = vi.fn(() => { throw new Error('REDIRECT_CALLED') })
+const prismaUserRoleFindFirstMock = vi.fn()

 vi.mock('@/lib/auth', () => ({ getSession: getSessionMock }))
 vi.mock('@/lib/auth/pairing', () => ({ isPairedSessionExpired: isPairedSessionExpiredMock }))
 vi.mock('next/navigation', () => ({ redirect: redirectMock }))
+vi.mock('@/lib/prisma', () => ({
+  prisma: { userRole: { findFirst: prismaUserRoleFindFirstMock } },
+}))

 describe('requireSession', () => {
  beforeEach(() => {
--- a/actions/auth.ts
+++ b/actions/auth.ts
@ -47,6 +47,7 @@ export async function registerAction(_prevState: unknown, formData: FormData) {
  const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
  session.userId = result.user!.id
  session.isDemo = false
+  session.isAdmin = false
  await session.save()

  redirect('/dashboard')
@ -72,9 +73,13 @@ export async function loginAction(_prevState: unknown, formData: FormData) {
    return { error: 'Onjuiste gebruikersnaam of wachtwoord' }
  }

+  const adminRole = await prisma.userRole.findFirst({
+    where: { user_id: user.id, role: 'ADMIN' },
+  })
  const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
  session.userId = user.id
  session.isDemo = user.is_demo
+  session.isAdmin = !!adminRole
  await session.save()

  // PBI-11 / ST-1135: telefoon-UA's krijgen de mobile-shell.
--- a/components/shared/nav-bar.tsx
+++ b/components/shared/nav-bar.tsx
@ -142,6 +142,7 @@ export function NavBar({
          {navLink('/insights', 'Insights', pathname.startsWith('/insights'))}
          {navLink('/ideas', 'Ideeën', pathname.startsWith('/ideas'))}
          {navLink('/todos', "Todo's", pathname.startsWith('/todos'))}
+          {roles.includes('ADMIN') && navLink('/admin', 'Admin', pathname.startsWith('/admin'))}
        </nav>
      </div>

--- a/components/shared/user-menu.tsx
+++ b/components/shared/user-menu.tsx
@ -20,6 +20,7 @@ const ROLE_LABELS: Record<string, string> = {
  PRODUCT_OWNER: 'Product Owner',
  SCRUM_MASTER: 'Scrum Master',
  DEVELOPER: 'Developer',
+  ADMIN: 'Admin',
 }

 interface UserMenuProps {
--- a/lib/auth-guard.ts
+++ b/lib/auth-guard.ts
@ -1,6 +1,7 @@
 import { redirect } from 'next/navigation'
 import { getSession } from '@/lib/auth'
 import { isPairedSessionExpired } from '@/lib/auth/pairing'
+import { prisma } from '@/lib/prisma'

 /**
 * Layout-side auth guard. Returns the session when valid; otherwise redirects
@ -25,7 +26,13 @@ export async function requireSession() {

 export async function requireAdmin() {
  const session = await getSession()
-  if (!session.userId || !session.isAdmin) {
+  if (!session.userId) {
+    redirect('/dashboard')
+  }
+  const adminRole = await prisma.userRole.findFirst({
+    where: { user_id: session.userId, role: 'ADMIN' },
+  })
+  if (!adminRole) {
    redirect('/dashboard')
  }
  return session