Enhance authentication checks in CMS API endpoints; implement user role validation for admin and board access. Refactor Spielpläne API to remove unnecessary logging and improve error handling. Update tests to mock user authentication and ensure proper validation of file uploads.

2025-11-10 13:18:29 +01:00
parent bde1d32b14
commit 3d6646cf31
5 changed files with 81 additions and 18 deletions
--- a/server/api/cms/satzung-upload.post.js
+++ b/server/api/cms/satzung-upload.post.js
@@ -3,6 +3,7 @@ import fs from 'fs/promises'
 import path from 'path'
 import { exec } from 'child_process'
 import { promisify } from 'util'
+import { getUserFromToken } from '../../utils/auth.js'

 const execAsync = promisify(exec)

@@ -51,6 +52,23 @@ export default defineEventHandler(async (event) => {
    })
  }

+  let token = getCookie(event, 'auth_token')
+  const currentUser = token ? await getUserFromToken(token) : null
+
+  if (!currentUser) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Nicht authentifiziert'
+    })
+  }
+
+  if (currentUser.role !== 'admin' && currentUser.role !== 'vorstand') {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Keine Berechtigung'
+    })
+  }
+
  try {
    // Multer-Middleware für File-Upload
    await new Promise((resolve, reject) => {
--- a/server/api/cms/save-csv.post.js
+++ b/server/api/cms/save-csv.post.js
@@ -1,8 +1,26 @@
 import fs from 'fs/promises'
 import path from 'path'
+import { getUserFromToken } from '../../utils/auth.js'

 export default defineEventHandler(async (event) => {
  try {
+    const token = getCookie(event, 'auth_token')
+    const currentUser = token ? await getUserFromToken(token) : null
+
+    if (!currentUser) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    if (currentUser.role !== 'admin' && currentUser.role !== 'vorstand') {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
    const { filename, content } = await readBody(event)
    
    if (!filename || !content) {
--- a/server/api/cms/upload-spielplan-pdf.post.js
+++ b/server/api/cms/upload-spielplan-pdf.post.js
@@ -1,6 +1,7 @@
 import multer from 'multer'
 import fs from 'fs/promises'
 import path from 'path'
+import { getUserFromToken } from '../../utils/auth.js'

 // Multer-Konfiguration für PDF-Uploads
 const storage = multer.diskStorage({
@@ -31,12 +32,35 @@ const upload = multer({

 export default defineEventHandler(async (event) => {
  try {
-    // Prüfe Authentifizierung
-    const authHeader = getHeader(event, 'authorization')
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    let token = getCookie(event, 'auth_token')
+
+    if (!token) {
+      const authHeader = getHeader(event, 'authorization')
+      if (authHeader && authHeader.startsWith('Bearer ')) {
+        token = authHeader.substring(7).trim()
+      }
+    }
+
+    if (!token) {
      throw createError({
        statusCode: 401,
-        statusMessage: 'Nicht autorisiert'
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const currentUser = await getUserFromToken(token)
+
+    if (!currentUser) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    if (currentUser.role !== 'admin' && currentUser.role !== 'vorstand') {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
      })
    }