Allow staff access to admin UI with scoped permissions

2025-10-13 16:30:52 -03:00 · 2025-10-13 16:30:52 -03:00 · cf31158a9e
commit cf31158a9e
parent d6956cd99d
11 changed files with 155 additions and 52 deletions
--- a/src/app/api/admin/users/[id]/reset-password/route.ts
+++ b/src/app/api/admin/users/[id]/reset-password/route.ts
@ -3,7 +3,8 @@ import { NextResponse } from "next/server"
 import { hashPassword } from "better-auth/crypto"

 import { prisma } from "@/lib/prisma"
-import { assertAdminSession } from "@/lib/auth-server"
+import { assertStaffSession } from "@/lib/auth-server"
+import { isAdmin } from "@/lib/authz"

 function generatePassword(length = 12) {
  const alphabet = "abcdefghijklmnopqrstuvwxyz0123456789"
@ -19,10 +20,11 @@ export const runtime = "nodejs"

 export async function POST(request: Request, { params }: { params: Promise<{ id: string }> }) {
  const { id } = await params
-  const session = await assertAdminSession()
+  const session = await assertStaffSession()
  if (!session) {
    return NextResponse.json({ error: "Não autorizado" }, { status: 401 })
  }
+  const sessionIsAdmin = isAdmin(session.user.role)

  const user = await prisma.authUser.findUnique({
    where: { id },
@ -33,7 +35,12 @@ export async function POST(request: Request, { params }: { params: Promise<{ id:
    return NextResponse.json({ error: "Usuário não encontrado" }, { status: 404 })
  }

-  if ((user.role ?? "").toLowerCase() === "machine") {
+  const targetRole = (user.role ?? "").toLowerCase()
+  if (!sessionIsAdmin && (targetRole === "admin" || targetRole === "agent")) {
+    return NextResponse.json({ error: "Você não pode redefinir a senha desse usuário" }, { status: 403 })
+  }
+
+  if (targetRole === "machine") {
    return NextResponse.json({ error: "Contas de máquina não possuem senha web" }, { status: 400 })
  }