fa4bfb8e5c
Block direct URL navigation to /persons/new, /documents/new, /documents/:id/edit for users without WRITE_ALL permission. E2E tests verify admin user retains access to all write routes. Closes #17 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
32 lines
1.1 KiB
TypeScript
32 lines
1.1 KiB
TypeScript
import { error, fail, redirect } from '@sveltejs/kit';
|
|
import { createApiClient } from '$lib/api.server';
|
|
|
|
export async function load({ locals }: { locals: App.Locals }) {
|
|
const canWrite = locals.user?.groups?.some((g: { permissions: string[] }) => g.permissions.includes('WRITE_ALL')) ?? false;
|
|
if (!canWrite) throw error(403, 'Forbidden');
|
|
}
|
|
|
|
export const actions = {
|
|
default: async ({ request, fetch }) => {
|
|
const formData = await request.formData();
|
|
const firstName = formData.get('firstName')?.toString().trim();
|
|
const lastName = formData.get('lastName')?.toString().trim();
|
|
const alias = formData.get('alias')?.toString().trim() || undefined;
|
|
|
|
if (!firstName || !lastName) {
|
|
return fail(400, { error: 'Vor- und Nachname sind Pflichtfelder.' });
|
|
}
|
|
|
|
const api = createApiClient(fetch);
|
|
const result = await api.POST('/api/persons', {
|
|
body: { firstName, lastName, ...(alias ? { alias } : {}) }
|
|
});
|
|
|
|
if (!result.response.ok) {
|
|
return fail(result.response.status, { error: 'Person konnte nicht gespeichert werden.' });
|
|
}
|
|
|
|
throw redirect(303, `/persons/${result.data!.id}`);
|
|
}
|
|
};
|