From 8e69348da9b8cfb5c8940378e18b7b1e788fdc28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cau=C3=AA=20Faleiros?= <cauefaleiros@gmail.com>
Date: Tue, 3 Mar 2026 17:30:36 -0300
Subject: [PATCH] fix: allow users to update their own profile data

---
 backend/index.js | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/backend/index.js b/backend/index.js
index 569ebcc..37a400c 100644
--- a/backend/index.js
+++ b/backend/index.js
@@ -329,18 +329,30 @@ apiRouter.post('/users', requireRole(['admin', 'owner', 'super_admin']), async (
   }
 });
 
-apiRouter.put('/users/:id', requireRole(['admin', 'owner', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.put('/users/:id', async (req, res) => {
   const { name, bio, role, team_id, status } = req.body;
   try {
-    const [existing] = await pool.query('SELECT tenant_id FROM users WHERE id = ?', [req.params.id]);
+    const [existing] = await pool.query('SELECT * FROM users WHERE id = ?', [req.params.id]);
     if (existing.length === 0) return res.status(404).json({ error: 'Not found' });
+    
+    const isSelf = req.user.id === req.params.id;
+    const isManagerOrAdmin = ['admin', 'owner', 'manager', 'super_admin'].includes(req.user.role);
+
+    if (!isSelf && !isManagerOrAdmin) {
+      return res.status(403).json({ error: 'Acesso negado.' });
+    }
+
     if (req.user.role !== 'super_admin' && existing[0].tenant_id !== req.user.tenant_id) {
       return res.status(403).json({ error: 'Acesso negado.' });
     }
 
+    const finalRole = isManagerOrAdmin && role !== undefined ? role : existing[0].role;
+    const finalTeamId = isManagerOrAdmin && team_id !== undefined ? team_id : existing[0].team_id;
+    const finalStatus = isManagerOrAdmin && status !== undefined ? status : existing[0].status;
+
     await pool.query(
       'UPDATE users SET name = ?, bio = ?, role = ?, team_id = ?, status = ? WHERE id = ?',
-      [name, bio, role, team_id || null, status, req.params.id]
+      [name || existing[0].name, bio !== undefined ? bio : existing[0].bio, finalRole, finalTeamId || null, finalStatus, req.params.id]
     );
     res.json({ message: 'User updated successfully.' });
   } catch (error) {