admin/logbuch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.7.6: Bearbeiten/Löschen auf BEO-Mitglieder beschränkt

Browse Source 
Ändern und Löschen eines Eintrags ist nur noch für angemeldete BEOs des Eintrags möglich (Admins dürfen immer). Serverseitige Prüfung via logbuch_beos-Tabelle; clientseitig werden die Aktions-Buttons nur eingeblendet, wenn der User in der BEO-Liste steht.

Außerdem: setState-in-Effect-Linterfehler in LogbuchList behoben (abgeleiteter Loading-State, abgeleitetes Page-Reset via filterKey).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Reinhard X. Fürst
2026-05-17 19:17:00 +02:00
parent d56ebb229d
commit 10c6554276
4 changed files with 49 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/MainClient.tsx
+4
View File
@@ -139,6 +139,8 @@ export default function MainClient({ kuerzel, beoId, beoName, role }: Props) {
kuppel={activeKuppel}
refreshKey={refreshKey}
onEdit={handleEdit}
currentUserKuerzel={kuerzel}
isAdmin={role?.includes('admin') ?? false}
limit={5}
compact
/>
@@ -158,6 +160,8 @@ export default function MainClient({ kuerzel, beoId, beoName, role }: Props) {
kuppel={activeKuppel}
refreshKey={refreshKey}
onEdit={handleEdit}
currentUserKuerzel={kuerzel}
isAdmin={role?.includes('admin') ?? false}
limit={15}
/>
</div>
app/api/logbuch/[id]/route.ts
+8 -10
View File
@@ -11,17 +11,16 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
const logbuchId = parseInt(id);
try {
// Zugriffskontrolle: Nur Ersteller oder Admin dürfen ändern
const existingRows = await query('SELECT created_by FROM logbuch WHERE ID = ?', [logbuchId]) as { created_by: number }[];
const existingRows = await query('SELECT ID FROM logbuch WHERE ID = ?', [logbuchId]) as { ID: number }[];
if (existingRows.length === 0) {
return NextResponse.json({ error: 'Eintrag nicht gefunden' }, { status: 404 });
}
const isAdmin = session.role?.includes('admin');
const createdBy = existingRows[0].created_by;
const isCreator = createdBy === null || createdBy === session.beoId;
const beoRows = await query('SELECT COUNT(*) AS cnt FROM logbuch_beos WHERE LogbuchID = ? AND BeoID = ?', [logbuchId, session.beoId]) as { cnt: number }[];
const isBeo = (beoRows[0]?.cnt ?? 0) > 0;
if (!isAdmin && !isCreator) {
if (!isAdmin && !isBeo) {
return NextResponse.json({ error: 'Keine Berechtigung zum Ändern dieses Eintrags' }, { status: 403 });
}
@@ -84,17 +83,16 @@ export async function DELETE(_request: NextRequest, { params }: { params: Promis
const logbuchId = parseInt(id);
try {
// Zugriffskontrolle: Nur Ersteller oder Admin dürfen löschen
const existingRows = await query('SELECT created_by FROM logbuch WHERE ID = ?', [logbuchId]) as { created_by: number }[];
const existingRows = await query('SELECT ID FROM logbuch WHERE ID = ?', [logbuchId]) as { ID: number }[];
if (existingRows.length === 0) {
return NextResponse.json({ error: 'Eintrag nicht gefunden' }, { status: 404 });
}
const isAdmin = session.role?.includes('admin');
const createdBy = existingRows[0].created_by;
const isCreator = createdBy === null || createdBy === session.beoId;
const beoRows = await query('SELECT COUNT(*) AS cnt FROM logbuch_beos WHERE LogbuchID = ? AND BeoID = ?', [logbuchId, session.beoId]) as { cnt: number }[];
const isBeo = (beoRows[0]?.cnt ?? 0) > 0;
if (!isAdmin && !isCreator) {
if (!isAdmin && !isBeo) {
return NextResponse.json({ error: 'Keine Berechtigung zum Löschen dieses Eintrags' }, { status: 403 });
}