From 5f79d220cf52128358d835b51646092dad9775f3 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Wed, 15 Apr 2026 20:50:29 +0200
Subject: [PATCH] Refactor PDF generation process in membership API to ensure
 consistent directory creation for uploads. Update final PDF path handling to
 improve clarity and maintainability of the code.

---
 server/api/membership/generate-pdf.post.js | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/server/api/membership/generate-pdf.post.js b/server/api/membership/generate-pdf.post.js
index 6bed0cd..2e1a60a 100644
--- a/server/api/membership/generate-pdf.post.js
+++ b/server/api/membership/generate-pdf.post.js
@@ -348,6 +348,9 @@ export default defineEventHandler(async (event) => {
     // da Deploy-Artefakte dort je nach Setup schreibgeschützt sein können)
     const tempDir = getServerDataPath('tmp', 'latex')
     await fs.mkdir(tempDir, { recursive: true })
+    const uploadsDir = getDataPath('uploads')
+    await fs.mkdir(uploadsDir, { recursive: true })
+    let finalPdfPath = path.join(uploadsDir, `${filename}.pdf`)
     
       try {
         // PDF-Template-Funktion aktiv: versuche Original-PDF-Template herunterzuladen und zu befüllen
@@ -589,14 +592,12 @@ export default defineEventHandler(async (event) => {
       }
 
   let usedTemplate = false
-  const uploadsDir = getDataPath('uploads')
-  await fs.mkdir(uploadsDir, { recursive: true })
       try {
         const filled = await fillPdfTemplate(data)
         // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
         // filename is generated from timestamp, not user input, path traversal prevented
     // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
-  const finalPdfPath = path.join(uploadsDir, `${filename}.pdf`)
+  finalPdfPath = path.join(uploadsDir, `${filename}.pdf`)
   await fs.writeFile(finalPdfPath, filled)
   // Do NOT copy filled PDFs into public repo uploads to avoid accidental exposure.
         usedTemplate = true
@@ -664,7 +665,7 @@ export default defineEventHandler(async (event) => {
     // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
       const pdfPath = path.join(tempDir, `${filename}.pdf`)
   await fs.mkdir(uploadsDir, { recursive: true })
-  const finalPdfPath = path.join(uploadsDir, `${filename}.pdf`)
+  finalPdfPath = path.join(uploadsDir, `${filename}.pdf`)
   await fs.copyFile(pdfPath, finalPdfPath)
       
   // E-Mail senden via zentralen Service (pass full path)