BUG FIX && 权限验证
This commit is contained in:
SpecialX
@@ -1,8 +1,11 @@
|
||||
"use server";
|
||||
|
||||
import { revalidatePath } from "next/cache"
|
||||
import { and, eq, sql } from "drizzle-orm"
|
||||
import { auth } from "@/auth"
|
||||
|
||||
import { db } from "@/shared/db"
|
||||
import { grades } from "@/shared/db/schema"
|
||||
import type { ActionState } from "@/shared/types/action-state"
|
||||
import {
|
||||
createAdminClass,
|
||||
@@ -44,6 +47,26 @@ export async function createTeacherClassAction(
|
||||
return { success: false, message: "Grade is required" }
|
||||
}
|
||||
|
||||
const session = await auth()
|
||||
if (!session?.user) return { success: false, message: "Unauthorized" }
|
||||
|
||||
const role = String(session.user.role ?? "")
|
||||
if (role !== "admin") {
|
||||
const userId = String(session.user.id ?? "").trim()
|
||||
if (!userId) return { success: false, message: "Unauthorized" }
|
||||
|
||||
const normalizedGradeId = typeof gradeId === "string" ? gradeId.trim() : ""
|
||||
const normalizedGradeName = grade.trim().toLowerCase()
|
||||
const where = normalizedGradeId
|
||||
? and(eq(grades.id, normalizedGradeId), eq(grades.gradeHeadId, userId))
|
||||
: and(eq(grades.gradeHeadId, userId), sql`LOWER(${grades.name}) = ${normalizedGradeName}`)
|
||||
|
||||
const [ownedGrade] = await db.select({ id: grades.id }).from(grades).where(where).limit(1)
|
||||
if (!ownedGrade) {
|
||||
return { success: false, message: "Only admins and grade heads can create classes" }
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
const id = await createTeacherClass({
|
||||
schoolName: typeof schoolName === "string" ? schoolName : null,
|
||||
@@ -311,6 +334,11 @@ export async function createAdminClassAction(
|
||||
prevState: ActionState<string> | undefined,
|
||||
formData: FormData
|
||||
): Promise<ActionState<string>> {
|
||||
const session = await auth()
|
||||
if (!session?.user?.id || String(session.user.role ?? "") !== "admin") {
|
||||
return { success: false, message: "Unauthorized" }
|
||||
}
|
||||
|
||||
const schoolName = formData.get("schoolName")
|
||||
const schoolId = formData.get("schoolId")
|
||||
const name = formData.get("name")
|
||||
|
||||
@@ -50,7 +50,7 @@ import {
|
||||
updateTeacherClassAction,
|
||||
} from "../actions"
|
||||
|
||||
export function MyClassesGrid({ classes }: { classes: TeacherClass[] }) {
|
||||
export function MyClassesGrid({ classes, canCreateClass }: { classes: TeacherClass[]; canCreateClass: boolean }) {
|
||||
const router = useRouter()
|
||||
const [isWorking, setIsWorking] = useState(false)
|
||||
const [createOpen, setCreateOpen] = useState(false)
|
||||
@@ -133,12 +133,13 @@ export function MyClassesGrid({ classes }: { classes: TeacherClass[] }) {
|
||||
<Dialog
|
||||
open={createOpen}
|
||||
onOpenChange={(open) => {
|
||||
if (!canCreateClass) return
|
||||
if (isWorking) return
|
||||
setCreateOpen(open)
|
||||
}}
|
||||
>
|
||||
<DialogTrigger asChild>
|
||||
<Button className="gap-2" disabled={isWorking}>
|
||||
<Button className="gap-2" disabled={isWorking || !canCreateClass}>
|
||||
<Plus className="size-4" />
|
||||
New class
|
||||
</Button>
|
||||
@@ -209,7 +210,7 @@ export function MyClassesGrid({ classes }: { classes: TeacherClass[] }) {
|
||||
title="No classes yet"
|
||||
description="Create your first class to start managing students and schedules."
|
||||
icon={Users}
|
||||
action={{ label: "Create class", onClick: () => setCreateOpen(true) }}
|
||||
action={canCreateClass ? { label: "Create class", onClick: () => setCreateOpen(true) } : undefined}
|
||||
className="h-[360px] bg-card sm:col-span-2 lg:col-span-3"
|
||||
/>
|
||||
) : filteredClasses.length === 0 ? (
|
||||
|
||||
Reference in New Issue
Block a user