Enable DOMAIN_ADMIN to manage users within their authorized domains

2026-05-14 21:38:31 +03:00
parent b8648fb5f7
commit ede38e80e4
4 changed files with 108 additions and 28 deletions
--- a/app/api/users/route.ts
+++ b/app/api/users/route.ts
@@ -5,13 +5,30 @@ import { prisma } from "@/lib/prisma";
 // GET /api/users — list all users
 export async function GET() {
  const session = await auth();
-  if (!session || session.user.role !== "SUPER_ADMIN") {
-    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }

-  const users = await prisma.user.findMany({
-    orderBy: { createdAt: "asc" },
-  });
+  const userRole = session.user.role;
+  const userDomains = session.user.domains || [];
+
+  let users;
+  if (userRole === "SUPER_ADMIN") {
+    // Super admin her şeyi görür
+    users = await prisma.user.findMany({
+      orderBy: { createdAt: "asc" },
+    });
+  } else {
+    // Domain admin sadece kendi domainlerine dokunan kullanıcıları görür
+    users = await prisma.user.findMany({
+      where: {
+        domains: {
+          hasSome: userDomains
+        }
+      },
+      orderBy: { createdAt: "asc" },
+    });
+  }

  return NextResponse.json(users);
 }
@@ -19,21 +36,34 @@ export async function GET() {
 // POST /api/users — create a new user
 export async function POST(req: NextRequest) {
  const session = await auth();
-  if (!session || session.user.role !== "SUPER_ADMIN") {
-    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }

+  const userRole = session.user.role;
+  const adminDomains = session.user.domains || [];
+
  try {
    const body = await req.json();
    const { name, email, password, role, domains, telegramId } = body;

+    let finalDomains = domains || [];
+    let finalRole = role || "DOMAIN_ADMIN";
+
+    // Güvenlik: Domain admin yetkisini aşamaz
+    if (userRole !== "SUPER_ADMIN") {
+      // Eğer domain admin ise, yeni kullanıcıya sadece kendi domainlerini verebilir
+      finalDomains = adminDomains;
+      finalRole = "DOMAIN_ADMIN"; // Başka bir super admin oluşturamaz
+    }
+
    const user = await prisma.user.create({
      data: {
        name,
        email: email.toLowerCase(),
        password,
-        role: role || "DOMAIN_ADMIN",
-        domains: domains || [],
+        role: finalRole,
+        domains: finalDomains,
        telegramId,
      },
    });