ayrisdev/webmailserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
webmailserver/app/api/users/[id]/route.ts

89 lines
2.8 KiB
TypeScript
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import { NextRequest, NextResponse } from "next/server";
import { auth } from "@/auth";
import { prisma } from "@/lib/prisma";
// PATCH /api/users/[id] — update a user
export async function PATCH(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
const session = await auth();
const { id } = await params;
if (!session) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const userRole = session.user.role;
const adminDomains = session.user.domains || [];
try {
// Mevcut kullanıcıyı kontrol et
const existingUser = await prisma.user.findUnique({ where: { id } });
if (!existingUser) return NextResponse.json({ error: "User not found" }, { status: 404 });
// Güvenlik Kontrolü: Domain admin sadece kendi domainindeki kullanıcıyı güncelleyebilir
if (userRole !== "SUPER_ADMIN") {
const hasAccess = existingUser.domains.some(d => adminDomains.includes(d));
if (!hasAccess) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
const body = await req.json();
const { name, email, password, role, domains, telegramId } = body;
let finalDomains = domains;
let finalRole = role;
// Güvenlik: Domain admin yetki yükseltemez veya domain değiştiremez
if (userRole !== "SUPER_ADMIN") {
finalDomains = adminDomains; // Kendi domainlerine kilitler
finalRole = "DOMAIN_ADMIN";
}
const user = await prisma.user.update({
where: { id },
data: {
name,
email: email?.toLowerCase(),
password,
role: finalRole,
domains: finalDomains,
telegramId,
},
});
return NextResponse.json(user);
} catch (error: any) {
return NextResponse.json({ error: error.message }, { status: 500 });
}
}
// DELETE /api/users/[id] — delete a user
export async function DELETE(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
const session = await auth();
const { id } = await params;
if (!session) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const userRole = session.user.role;
const adminDomains = session.user.domains || [];
try {
const existingUser = await prisma.user.findUnique({ where: { id } });
if (!existingUser) return NextResponse.json({ error: "User not found" }, { status: 404 });
// Güvenlik Kontrolü
if (userRole !== "SUPER_ADMIN") {
const hasAccess = existingUser.domains.some(d => adminDomains.includes(d));
if (!hasAccess) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
await prisma.user.delete({
where: { id },
});
return NextResponse.json({ status: "ok" });
} catch (error: any) {
return NextResponse.json({ error: error.message }, { status: 500 });
}
}
Reference in New Issue View Git Blame Copy Permalink