fix: allow users to update their own profile data

2026-03-03 17:30:36 -03:00
parent 20bdf510fd
commit 8e69348da9
1 changed files with 15 additions and 3 deletions
--- a/backend/index.js
+++ b/backend/index.js
@@ -329,18 +329,30 @@ apiRouter.post('/users', requireRole(['admin', 'owner', 'super_admin']), async (
  }
 });

-apiRouter.put('/users/:id', requireRole(['admin', 'owner', 'manager', 'super_admin']), async (req, res) => {
+apiRouter.put('/users/:id', async (req, res) => {
  const { name, bio, role, team_id, status } = req.body;
  try {
-    const [existing] = await pool.query('SELECT tenant_id FROM users WHERE id = ?', [req.params.id]);
+    const [existing] = await pool.query('SELECT * FROM users WHERE id = ?', [req.params.id]);
    if (existing.length === 0) return res.status(404).json({ error: 'Not found' });
+    
+    const isSelf = req.user.id === req.params.id;
+    const isManagerOrAdmin = ['admin', 'owner', 'manager', 'super_admin'].includes(req.user.role);
+
+    if (!isSelf && !isManagerOrAdmin) {
+      return res.status(403).json({ error: 'Acesso negado.' });
+    }
+
    if (req.user.role !== 'super_admin' && existing[0].tenant_id !== req.user.tenant_id) {
      return res.status(403).json({ error: 'Acesso negado.' });
    }

+    const finalRole = isManagerOrAdmin && role !== undefined ? role : existing[0].role;
+    const finalTeamId = isManagerOrAdmin && team_id !== undefined ? team_id : existing[0].team_id;
+    const finalStatus = isManagerOrAdmin && status !== undefined ? status : existing[0].status;
+
    await pool.query(
      'UPDATE users SET name = ?, bio = ?, role = ?, team_id = ?, status = ? WHERE id = ?',
-      [name, bio, role, team_id || null, status, req.params.id]
+      [name || existing[0].name, bio !== undefined ? bio : existing[0].bio, finalRole, finalTeamId || null, finalStatus, req.params.id]
    );
    res.json({ message: 'User updated successfully.' });
  } catch (error) {