fix: resolve sql query logic preventing managers from seeing themselves or their team if team_id is null

backend/index.js

@@ -291,10 +291,15 @@ apiRouter.get('/users', async (req, res) => {
       params.push(effectiveTenantId); 
     }
     
-    // Strict RBAC: Managers can only see users in their own team
+    // Strict RBAC: Managers can only see users in their own team, or themselves if they don't have a team yet
     if (req.user.role === 'manager') {
-      q += (params.length > 0 ? ' AND' : ' WHERE') + ' team_id = ?';
+      if (req.user.team_id) {
-      params.push(req.user.team_id);
+        q += (params.length > 0 ? ' AND' : ' WHERE') + ' (team_id = ? OR id = ?)';
+        params.push(req.user.team_id, req.user.id);
+      } else {
+        q += (params.length > 0 ? ' AND' : ' WHERE') + ' id = ?';
+        params.push(req.user.id);
+      }
     }
     
     const [rows] = await pool.query(q, params);
@@ -536,8 +541,13 @@ apiRouter.get('/teams', async (req, res) => {
     
     // Strict RBAC: Managers can only see their own team
     if (req.user.role === 'manager') {
+      if (req.user.team_id) {
         q += (params.length > 0 ? ' AND' : ' WHERE') + ' id = ?';
         params.push(req.user.team_id);
+      } else {
+        // If a manager doesn't have a team, return nothing to prevent showing all teams
+        q += (params.length > 0 ? ' AND' : ' WHERE') + ' 1=0'; 
+      }
     }
     
     const [rows] = await pool.query(q, params);