Benutzer, Ticketzuweißungen

server/routes/admin/index.js

@@ -12,6 +12,13 @@ import {
 import { hashPassword } from '../../password.js';
 import { requireAdmin, requireAuth } from '../../middleware/auth.js';
 
+const CRM_ROLES = new Set(['admin', 'viewer', 'after_sales']);
+
+function normalizeUserRole(role) {
+  const r = String(role || '').trim();
+  return CRM_ROLES.has(r) ? r : 'after_sales';
+}
+
 export function createAdminRouter() {
   const admin = Router();
   admin.use(requireAuth, requireAdmin);
@@ -31,7 +38,7 @@ export function createAdminRouter() {
       .trim()
       .toLowerCase();
     if (!un || !password) return badRequest(res, 'Benutzername und Passwort erforderlich.');
-    const r = role === 'admin' ? 'admin' : 'user';
+    const r = normalizeUserRole(role);
     const id = randomUUID();
     const ph = await hashPassword(password);
     try {
@@ -66,7 +73,7 @@ export function createAdminRouter() {
       ).run(ph, id);
     }
     if (b.role !== undefined) {
-      if (b.role !== 'admin' && b.role !== 'user') {
+      if (!CRM_ROLES.has(b.role)) {
         return badRequest(res, 'Ungültige Rolle.');
       }
       const admins = db
@@ -74,7 +81,7 @@ export function createAdminRouter() {
           "SELECT COUNT(*) AS c FROM users WHERE role = 'admin' AND active = 1",
         )
         .get().c;
-      if (cur.role === 'admin' && b.role === 'user' && admins <= 1) {
+      if (cur.role === 'admin' && b.role !== 'admin' && admins <= 1) {
         return res.status(400).json({ message: 'Letzter Administrator kann nicht herabgestuft werden.' });
       }
       db.prepare('UPDATE users SET role = ?, updated_at = datetime(\'now\') WHERE id = ?').run(