admin/logbuch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.6.1: Sicherheit – Rate Limiting, Default-PW via Env, AUTH_SECRET Pflicht, Bcrypt 12

Browse Source
This commit is contained in:
Reinhard X. Fürst
2026-05-11 13:26:51 +02:00
parent 0ea960259c
commit 9bea0a11de
33 changed files with 991 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/api/logbuch/[id]/route.ts
+28 -1
View File
@@ -11,6 +11,19 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
const logbuchId = parseInt(id);
try {
// Zugriffskontrolle: Nur Ersteller oder Admin dürfen ändern
const existingRows = await query('SELECT created_by FROM logbuch WHERE ID = ?', [logbuchId]) as { created_by: number }[];
if (existingRows.length === 0) {
return NextResponse.json({ error: 'Eintrag nicht gefunden' }, { status: 404 });
}
const isAdmin = session.role?.includes('admin');
const isCreator = existingRows[0].created_by === session.beoId;
if (!isAdmin && !isCreator) {
return NextResponse.json({ error: 'Keine Berechtigung zum Ändern dieses Eintrags' }, { status: 403 });
}
const body = await request.json();
const { Kuppel, ArtFuehrung, SonderName, Beginn, Ende, Besucher, beoIds, objekte, Bemerkungen, Wetter } = body;
@@ -67,9 +80,23 @@ export async function DELETE(_request: NextRequest, { params }: { params: Promis
if (!session) return NextResponse.json({ error: 'Nicht angemeldet' }, { status: 401 });
const { id } = await params;
const logbuchId = parseInt(id);
try {
await query('DELETE FROM logbuch WHERE ID = ?', [parseInt(id)]);
// Zugriffskontrolle: Nur Ersteller oder Admin dürfen löschen
const existingRows = await query('SELECT created_by FROM logbuch WHERE ID = ?', [logbuchId]) as { created_by: number }[];
if (existingRows.length === 0) {
return NextResponse.json({ error: 'Eintrag nicht gefunden' }, { status: 404 });
}
const isAdmin = session.role?.includes('admin');
const isCreator = existingRows[0].created_by === session.beoId;
if (!isAdmin && !isCreator) {
return NextResponse.json({ error: 'Keine Berechtigung zum Löschen dieses Eintrags' }, { status: 403 });
}
await query('DELETE FROM logbuch WHERE ID = ?', [logbuchId]);
return NextResponse.json({ ok: true });
} catch (error) {
console.error('DELETE /api/logbuch/[id]:', error);
app/api/logbuch/route.ts
+2
View File
@@ -23,6 +23,8 @@ const LIST_SQL =
' ORDER BY l.Beginn DESC';
export async function GET(request: NextRequest) {
const session = await getSession();
if (!session) return NextResponse.json({ error: 'Nicht angemeldet' }, { status: 401 });
const { searchParams } = new URL(request.url);
const kuppel = searchParams.get('kuppel') || 'West';
const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100);
app/api/statistik/route.ts
+4
View File
@@ -1,7 +1,11 @@
import { NextRequest, NextResponse } from 'next/server';
import { query } from '@/lib/db';
import { getSession } from '@/lib/session';
export async function GET(request: NextRequest) {
const session = await getSession();
if (!session) return NextResponse.json({ error: 'Nicht angemeldet' }, { status: 401 });
const { searchParams } = new URL(request.url);
const kuppel = searchParams.get('kuppel') || 'West';
const year = parseInt(searchParams.get('year') || String(new Date().getFullYear()), 10);