From 45b7e7b003994a5e0634ab21f7000c11bf2fa661 Mon Sep 17 00:00:00 2001 From: Marcel Raddatz Date: Fri, 3 Apr 2026 09:25:40 +0200 Subject: [PATCH] =?UTF-8?q?fix(staples):=20add=20role=20guard=20=E2=80=94?= =?UTF-8?q?=20only=20planer=20role=20can=20toggle=20staples?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- frontend/src/routes/household/staples/+server.ts | 6 +++++- frontend/src/routes/household/staples/server.test.ts | 12 ++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/frontend/src/routes/household/staples/+server.ts b/frontend/src/routes/household/staples/+server.ts index 11ac42f..ebc3f3a 100644 --- a/frontend/src/routes/household/staples/+server.ts +++ b/frontend/src/routes/household/staples/+server.ts @@ -2,7 +2,11 @@ import { json } from '@sveltejs/kit'; import type { RequestHandler } from './$types'; import { apiClient } from '$lib/server/api'; -export const PATCH: RequestHandler = async ({ request, fetch }) => { +export const PATCH: RequestHandler = async ({ request, fetch, locals }) => { + if (locals.benutzer?.rolle !== 'planer') { + return json({ error: 'Forbidden' }, { status: 403 }); + } + const body = await request.json(); const { id, isStaple } = body; diff --git a/frontend/src/routes/household/staples/server.test.ts b/frontend/src/routes/household/staples/server.test.ts index 10b3c04..0490cf5 100644 --- a/frontend/src/routes/household/staples/server.test.ts +++ b/frontend/src/routes/household/staples/server.test.ts @@ -18,12 +18,13 @@ describe('household staples PATCH handler', () => { PATCH = mod.PATCH; }); - function createRequest(body: object) { + function createRequest(body: object, rolle: 'planer' | 'mitglied' = 'planer') { return { request: { json: () => Promise.resolve(body) }, - fetch: vi.fn() + fetch: vi.fn(), + locals: { benutzer: { rolle } } } as any; } @@ -76,6 +77,13 @@ describe('household staples PATCH handler', () => { expect(mockPatch).not.toHaveBeenCalled(); }); + it('returns 403 when caller has mitglied role', async () => { + const response = await PATCH(createRequest({ id: 'ing-1', isStaple: true }, 'mitglied')); + + expect(response.status).toBe(403); + expect(mockPatch).not.toHaveBeenCalled(); + }); + it('returns 400 when isStaple is not a boolean', async () => { const response = await PATCH(createRequest({ id: 'ing-1', isStaple: 'yes' }));