Enable DOMAIN_ADMIN to manage users within their authorized domains

2026-05-14 21:38:31 +03:00
parent b8648fb5f7
commit ede38e80e4
4 changed files with 108 additions and 28 deletions
--- a/app/api/users/[id]/route.ts
+++ b/app/api/users/[id]/route.ts
@@ -7,22 +7,44 @@ export async function PATCH(req: NextRequest, { params }: { params: Promise<{ id
  const session = await auth();
  const { id } = await params;

-  if (!session || session.user.role !== "SUPER_ADMIN") {
-    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }

+  const userRole = session.user.role;
+  const adminDomains = session.user.domains || [];
+
  try {
+    // Mevcut kullanıcıyı kontrol et
+    const existingUser = await prisma.user.findUnique({ where: { id } });
+    if (!existingUser) return NextResponse.json({ error: "User not found" }, { status: 404 });
+
+    // Güvenlik Kontrolü: Domain admin sadece kendi domainindeki kullanıcıyı güncelleyebilir
+    if (userRole !== "SUPER_ADMIN") {
+      const hasAccess = existingUser.domains.some(d => adminDomains.includes(d));
+      if (!hasAccess) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
    const body = await req.json();
    const { name, email, password, role, domains, telegramId } = body;

+    let finalDomains = domains;
+    let finalRole = role;
+
+    // Güvenlik: Domain admin yetki yükseltemez veya domain değiştiremez
+    if (userRole !== "SUPER_ADMIN") {
+      finalDomains = adminDomains; // Kendi domainlerine kilitler
+      finalRole = "DOMAIN_ADMIN";
+    }
+
    const user = await prisma.user.update({
      where: { id },
      data: {
        name,
        email: email?.toLowerCase(),
        password,
-        role,
-        domains,
+        role: finalRole,
+        domains: finalDomains,
        telegramId,
      },
    });
@@ -38,11 +60,23 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
  const session = await auth();
  const { id } = await params;

-  if (!session || session.user.role !== "SUPER_ADMIN") {
-    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }

+  const userRole = session.user.role;
+  const adminDomains = session.user.domains || [];
+
  try {
+    const existingUser = await prisma.user.findUnique({ where: { id } });
+    if (!existingUser) return NextResponse.json({ error: "User not found" }, { status: 404 });
+
+    // Güvenlik Kontrolü
+    if (userRole !== "SUPER_ADMIN") {
+      const hasAccess = existingUser.domains.some(d => adminDomains.includes(d));
+      if (!hasAccess) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
    await prisma.user.delete({
      where: { id },
    });
--- a/app/api/users/route.ts
+++ b/app/api/users/route.ts
@@ -5,13 +5,30 @@ import { prisma } from "@/lib/prisma";
 // GET /api/users — list all users
 export async function GET() {
  const session = await auth();
-  if (!session || session.user.role !== "SUPER_ADMIN") {
-    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }

-  const users = await prisma.user.findMany({
-    orderBy: { createdAt: "asc" },
-  });
+  const userRole = session.user.role;
+  const userDomains = session.user.domains || [];
+
+  let users;
+  if (userRole === "SUPER_ADMIN") {
+    // Super admin her şeyi görür
+    users = await prisma.user.findMany({
+      orderBy: { createdAt: "asc" },
+    });
+  } else {
+    // Domain admin sadece kendi domainlerine dokunan kullanıcıları görür
+    users = await prisma.user.findMany({
+      where: {
+        domains: {
+          hasSome: userDomains
+        }
+      },
+      orderBy: { createdAt: "asc" },
+    });
+  }

  return NextResponse.json(users);
 }
@@ -19,21 +36,34 @@ export async function GET() {
 // POST /api/users — create a new user
 export async function POST(req: NextRequest) {
  const session = await auth();
-  if (!session || session.user.role !== "SUPER_ADMIN") {
-    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }

+  const userRole = session.user.role;
+  const adminDomains = session.user.domains || [];
+
  try {
    const body = await req.json();
    const { name, email, password, role, domains, telegramId } = body;

+    let finalDomains = domains || [];
+    let finalRole = role || "DOMAIN_ADMIN";
+
+    // Güvenlik: Domain admin yetkisini aşamaz
+    if (userRole !== "SUPER_ADMIN") {
+      // Eğer domain admin ise, yeni kullanıcıya sadece kendi domainlerini verebilir
+      finalDomains = adminDomains;
+      finalRole = "DOMAIN_ADMIN"; // Başka bir super admin oluşturamaz
+    }
+
    const user = await prisma.user.create({
      data: {
        name,
        email: email.toLowerCase(),
        password,
-        role: role || "DOMAIN_ADMIN",
-        domains: domains || [],
+        role: finalRole,
+        domains: finalDomains,
        telegramId,
      },
    });