32 lines
937 B
JavaScript
32 lines
937 B
JavaScript
import db from '../db.js';
|
|
|
|
export function requireAuth(req, res, next) {
|
|
if (!req.session?.userId) {
|
|
return res.status(401).json({ message: 'Nicht angemeldet' });
|
|
}
|
|
const u = db
|
|
.prepare('SELECT id, active FROM users WHERE id = ?')
|
|
.get(req.session.userId);
|
|
if (!u || !u.active) {
|
|
req.session.destroy(() => {});
|
|
return res.status(401).json({ message: 'Nicht angemeldet' });
|
|
}
|
|
next();
|
|
}
|
|
|
|
export function requireAdmin(req, res, next) {
|
|
if (req.session?.role !== 'admin') {
|
|
return res.status(403).json({ message: 'Administratorrechte erforderlich.' });
|
|
}
|
|
next();
|
|
}
|
|
|
|
/** Maschinen, Tickets, Events, Anhänge bearbeiten (nicht: nur Viewer). */
|
|
export function requireCrmEdit(req, res, next) {
|
|
const r = req.session?.role;
|
|
if (r === 'admin' || r === 'after_sales') {
|
|
return next();
|
|
}
|
|
return res.status(403).json({ message: 'Keine Bearbeitungsrechte.' });
|
|
}
|