fix(staples): add role guard — only planer role can toggle staples

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/routes/household/staples/+server.ts

@@ -2,7 +2,11 @@ import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { apiClient } from '$lib/server/api';
 
-export const PATCH: RequestHandler = async ({ request, fetch }) => {
+export const PATCH: RequestHandler = async ({ request, fetch, locals }) => {
+	if (locals.benutzer?.rolle !== 'planer') {
+		return json({ error: 'Forbidden' }, { status: 403 });
+	}
+
 	const body = await request.json();
 	const { id, isStaple } = body;
 

frontend/src/routes/household/staples/server.test.ts

@@ -18,12 +18,13 @@ describe('household staples PATCH handler', () => {
 		PATCH = mod.PATCH;
 	});
 
-	function createRequest(body: object) {
+	function createRequest(body: object, rolle: 'planer' | 'mitglied' = 'planer') {
 		return {
 			request: {
 				json: () => Promise.resolve(body)
 			},
-			fetch: vi.fn()
+			fetch: vi.fn(),
+			locals: { benutzer: { rolle } }
 		} as any;
 	}
 
@@ -76,6 +77,13 @@ describe('household staples PATCH handler', () => {
 		expect(mockPatch).not.toHaveBeenCalled();
 	});
 
+	it('returns 403 when caller has mitglied role', async () => {
+		const response = await PATCH(createRequest({ id: 'ing-1', isStaple: true }, 'mitglied'));
+
+		expect(response.status).toBe(403);
+		expect(mockPatch).not.toHaveBeenCalled();
+	});
+
 	it('returns 400 when isStaple is not a boolean', async () => {
 		const response = await PATCH(createRequest({ id: 'ing-1', isStaple: 'yes' }));