Enable DOMAIN_ADMIN to manage users within their authorized domains

2026-05-14 21:38:31 +03:00
parent b8648fb5f7
commit ede38e80e4
4 changed files with 108 additions and 28 deletions
--- a/app/api/users/[id]/route.ts
+++ b/app/api/users/[id]/route.ts
@@ -7,22 +7,44 @@ export async function PATCH(req: NextRequest, { params }: { params: Promise<{ id
  const session = await auth();
  const { id } = await params;

-  if (!session || session.user.role !== "SUPER_ADMIN") {
-    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }

+  const userRole = session.user.role;
+  const adminDomains = session.user.domains || [];
+
  try {
+    // Mevcut kullanıcıyı kontrol et
+    const existingUser = await prisma.user.findUnique({ where: { id } });
+    if (!existingUser) return NextResponse.json({ error: "User not found" }, { status: 404 });
+
+    // Güvenlik Kontrolü: Domain admin sadece kendi domainindeki kullanıcıyı güncelleyebilir
+    if (userRole !== "SUPER_ADMIN") {
+      const hasAccess = existingUser.domains.some(d => adminDomains.includes(d));
+      if (!hasAccess) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
    const body = await req.json();
    const { name, email, password, role, domains, telegramId } = body;

+    let finalDomains = domains;
+    let finalRole = role;
+
+    // Güvenlik: Domain admin yetki yükseltemez veya domain değiştiremez
+    if (userRole !== "SUPER_ADMIN") {
+      finalDomains = adminDomains; // Kendi domainlerine kilitler
+      finalRole = "DOMAIN_ADMIN";
+    }
+
    const user = await prisma.user.update({
      where: { id },
      data: {
        name,
        email: email?.toLowerCase(),
        password,
-        role,
-        domains,
+        role: finalRole,
+        domains: finalDomains,
        telegramId,
      },
    });
@@ -38,11 +60,23 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
  const session = await auth();
  const { id } = await params;

-  if (!session || session.user.role !== "SUPER_ADMIN") {
-    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }

+  const userRole = session.user.role;
+  const adminDomains = session.user.domains || [];
+
  try {
+    const existingUser = await prisma.user.findUnique({ where: { id } });
+    if (!existingUser) return NextResponse.json({ error: "User not found" }, { status: 404 });
+
+    // Güvenlik Kontrolü
+    if (userRole !== "SUPER_ADMIN") {
+      const hasAccess = existingUser.domains.some(d => adminDomains.includes(d));
+      if (!hasAccess) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
    await prisma.user.delete({
      where: { id },
    });