tomchukk/mamad-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1.1.4 - updated user modals

Browse Source
This commit is contained in:
Tom Ruff
2026-01-16 23:44:13 +02:00
parent a5e9072b9d
commit 458a78795d
16 changed files with 288 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
app/api/admin/add-user/route.ts
View File

@@ -21,44 +21,52 @@ export async function POST(request: NextRequest) {
const { name, isAdmin, field, department, team, role } = await request.json()
// Input validation
if (!name || !field || !department || !team) {
return NextResponse.json({ error: "נתונים חסרים" }, { status: 400 })
if (!name || !field) {
return NextResponse.json({ error: "Invalid name or field." }, { status: 400 })
}
// Validate department, team, and field against managed types
// Validate field against managed types
if (!(await hasManagedType("field", field))) {
return NextResponse.json({ error: "Invalid field." }, { status: 400 })
}
if (!(await hasManagedType("department", department))) {
const normalizedDepartment = typeof department === "string" && department.trim() ? department.trim() : null
if (normalizedDepartment && !(await hasManagedType("department", normalizedDepartment))) {
return NextResponse.json({ error: "Invalid department." }, { status: 400 })
}
if (!(await hasManagedType("team", team))) {
const normalizedTeam = typeof team === "string" && team.trim() ? team.trim() : null
if (normalizedTeam && !(await hasManagedType("team", normalizedTeam))) {
return NextResponse.json({ error: "Invalid team." }, { status: 400 })
}
const fieldRows = (await safeQuery("SELECT id FROM managed_types WHERE type = 'field' AND name = ?", [
field,
])) as Array<{ id: number }>
const departmentRows = (await safeQuery(
"SELECT id, parent_id AS parentId FROM managed_types WHERE type = 'department' AND name = ?",
[department],
)) as Array<{ id: number; parentId: number | null }>
const teamRows = (await safeQuery(
"SELECT id, parent_id AS parentId FROM managed_types WHERE type = 'team' AND name = ?",
[team],
)) as Array<{ id: number; parentId: number | null }>
const departmentRows = normalizedDepartment
? ((await safeQuery(
"SELECT id, parent_id AS parentId FROM managed_types WHERE type = 'department' AND name = ?",
[normalizedDepartment],
)) as Array<{ id: number; parentId: number | null }>)
: []
const teamRows = normalizedTeam
? ((await safeQuery(
"SELECT id, parent_id AS parentId FROM managed_types WHERE type = 'team' AND name = ?",
[normalizedTeam],
)) as Array<{ id: number; parentId: number | null }>)
: []
if (fieldRows.length === 0 || departmentRows.length === 0 || teamRows.length === 0) {
if (fieldRows.length === 0 || (normalizedDepartment && departmentRows.length === 0) || (normalizedTeam && teamRows.length === 0)) {
return NextResponse.json({ error: "Invalid field, department, or team." }, { status: 400 })
}
if (departmentRows[0].parentId !== fieldRows[0].id) {
if (normalizedDepartment && departmentRows[0].parentId !== fieldRows[0].id) {
return NextResponse.json({ error: "Department does not belong to field." }, { status: 400 })
}
if (teamRows[0].parentId !== departmentRows[0].id) {
if (normalizedTeam && normalizedDepartment && teamRows[0].parentId !== departmentRows[0].id) {
return NextResponse.json({ error: "Team does not belong to department." }, { status: 400 })
}
@@ -68,7 +76,21 @@ export async function POST(request: NextRequest) {
const userRole: UserRole = (role as UserRole) || (isAdmin ? "global_admin" : "user")
if (!validRoles.includes(userRole)) {
return NextResponse.json({ error: "תפקיד לא תקין" }, { status: 400 })
return NextResponse.json({ error: "Invalid role." }, { status: 400 })
}
if (userRole === "field_admin") {
if (!field || normalizedDepartment || normalizedTeam) {
return NextResponse.json({ error: "Field admins must have a field only." }, { status: 400 })
}
} else if (userRole === "department_admin") {
if (!field || !normalizedDepartment || normalizedTeam) {
return NextResponse.json({ error: "Department admins must have field + department only." }, { status: 400 })
}
} else if (userRole === "team_admin" || userRole === "user") {
if (!field || !normalizedDepartment || !normalizedTeam) {
return NextResponse.json({ error: "Team/users require field, department, and team." }, { status: 400 })
}
}
// Generate unique Login ID
@@ -80,7 +102,7 @@ export async function POST(request: NextRequest) {
await safeQuery(
"INSERT INTO users (national_id, password, name, is_admin, role, must_change_password, field, department, team) VALUES (?, ?, ?, ?, ?, TRUE, ?, ?, ?)",
[nationalId, hashedPassword, name, isAdmin, userRole, field, department, team],
[nationalId, hashedPassword, name, isAdmin, userRole, field, normalizedDepartment, normalizedTeam],
)
return NextResponse.json({