Enhance authentication checks in CMS API endpoints; implement user role validation for admin and board access. Refactor Spielpläne API to remove unnecessary logging and improve error handling. Update tests to mock user authentication and ensure proper validation of file uploads.

server/api/cms/satzung-upload.post.js

@@ -3,6 +3,7 @@ import fs from 'fs/promises'
 import path from 'path'
 import { exec } from 'child_process'
 import { promisify } from 'util'
+import { getUserFromToken } from '../../utils/auth.js'
 
 const execAsync = promisify(exec)
 
@@ -51,6 +52,23 @@ export default defineEventHandler(async (event) => {
     })
   }
 
+  let token = getCookie(event, 'auth_token')
+  const currentUser = token ? await getUserFromToken(token) : null
+
+  if (!currentUser) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Nicht authentifiziert'
+    })
+  }
+
+  if (currentUser.role !== 'admin' && currentUser.role !== 'vorstand') {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Keine Berechtigung'
+    })
+  }
+
   try {
     // Multer-Middleware für File-Upload
     await new Promise((resolve, reject) => {