blyzer/fasto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: allow users to update their own profile data
All checks were successful
Build and Deploy / build-and-push (push) Successful in 1m0s
Details

Browse Source
This commit is contained in:
Cauê Faleiros
2026-03-03 17:30:36 -03:00
parent 20bdf510fd
commit 8e69348da9
1 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
backend/index.js
View File

@@ -329,18 +329,30 @@ apiRouter.post('/users', requireRole(['admin', 'owner', 'super_admin']), async (
} }
}); });
apiRouter.put('/users/:id', requireRole(['admin', 'owner', 'manager', 'super_admin']), async (req, res) => { apiRouter.put('/users/:id', async (req, res) => {
const { name, bio, role, team_id, status } = req.body; const { name, bio, role, team_id, status } = req.body;
try { try {
const [existing] = await pool.query('SELECT tenant_id FROM users WHERE id = ?', [req.params.id]); const [existing] = await pool.query('SELECT * FROM users WHERE id = ?', [req.params.id]);
if (existing.length === 0) return res.status(404).json({ error: 'Not found' }); if (existing.length === 0) return res.status(404).json({ error: 'Not found' });
const isSelf = req.user.id === req.params.id;
const isManagerOrAdmin = ['admin', 'owner', 'manager', 'super_admin'].includes(req.user.role);
if (!isSelf && !isManagerOrAdmin) {
return res.status(403).json({ error: 'Acesso negado.' });
}
if (req.user.role !== 'super_admin' && existing[0].tenant_id !== req.user.tenant_id) { if (req.user.role !== 'super_admin' && existing[0].tenant_id !== req.user.tenant_id) {
return res.status(403).json({ error: 'Acesso negado.' }); return res.status(403).json({ error: 'Acesso negado.' });
} }
const finalRole = isManagerOrAdmin && role !== undefined ? role : existing[0].role;
const finalTeamId = isManagerOrAdmin && team_id !== undefined ? team_id : existing[0].team_id;
const finalStatus = isManagerOrAdmin && status !== undefined ? status : existing[0].status;
await pool.query( await pool.query(
'UPDATE users SET name = ?, bio = ?, role = ?, team_id = ?, status = ? WHERE id = ?', 'UPDATE users SET name = ?, bio = ?, role = ?, team_id = ?, status = ? WHERE id = ?',
[name, bio, role, team_id || null, status, req.params.id] [name || existing[0].name, bio !== undefined ? bio : existing[0].bio, finalRole, finalTeamId || null, finalStatus, req.params.id]
); );
res.json({ message: 'User updated successfully.' }); res.json({ message: 'User updated successfully.' });
} catch (error) { } catch (error) {