From 8045542f8fbf269673b253e3fdf621903f1b89de Mon Sep 17 00:00:00 2001 From: "Torsten Schulz (local)" Date: Fri, 6 Feb 2026 10:12:37 +0100 Subject: [PATCH] Enhance user contact data visibility based on role permissions This commit introduces role-based access control for user contact information in the CMS. It updates the user list display to show email and phone details only to users with the 'vorstand' role, while masking this information for others. Additionally, it modifies the API endpoints to ensure that contact data is only returned for authorized users, improving data privacy and security. --- pages/cms/benutzer.vue | 27 +++++++++++++++++++++++++-- server/api/cms/users/list.get.js | 16 +++++++++++----- server/api/members.get.js | 17 +++++++++++++++-- 3 files changed, 51 insertions(+), 9 deletions(-) diff --git a/pages/cms/benutzer.vue b/pages/cms/benutzer.vue index 61912ee..49b7131 100644 --- a/pages/cms/benutzer.vue +++ b/pages/cms/benutzer.vue @@ -143,12 +143,28 @@
- {{ user.email }} + + + Nur für Vorstand +
- {{ user.phone || '-' }} + + + Nur für Vorstand +
@@ -307,6 +323,13 @@ import { ref, computed, onMounted } from 'vue' import { AlertCircle, Check, X } from 'lucide-vue-next' +const authStore = useAuthStore() + +const canViewContactData = computed(() => { + // Kontaktdaten nur für Vorstand sichtbar + return authStore.hasRole('vorstand') +}) + const allUsers = ref([]) const currentUserId = ref(null) const successMessage = ref('') diff --git a/server/api/cms/users/list.get.js b/server/api/cms/users/list.get.js index bb801f8..8bb72ec 100644 --- a/server/api/cms/users/list.get.js +++ b/server/api/cms/users/list.get.js @@ -1,4 +1,4 @@ -import { getUserFromToken, readUsers, hasAnyRole, migrateUserRoles } from '../../../utils/auth.js' +import { getUserFromToken, readUsers, hasAnyRole, hasRole, migrateUserRoles } from '../../../utils/auth.js' export default defineEventHandler(async (event) => { try { @@ -13,18 +13,24 @@ export default defineEventHandler(async (event) => { } const users = await readUsers() - - // Return users without passwords + + const isVorstand = hasRole(currentUser, 'vorstand') + + // Return users without Passwörter; Kontaktdaten nur für Vorstand const safeUsers = users.map(u => { const migrated = migrateUserRoles({ ...u }) const roles = Array.isArray(migrated.roles) ? migrated.roles : (migrated.role ? [migrated.role] : ['mitglied']) + + const email = isVorstand ? u.email : undefined + const phone = isVorstand ? (u.phone || '') : undefined + return { id: u.id, - email: u.email, + email, name: u.name, roles: roles, role: roles[0] || 'mitglied', // Rückwärtskompatibilität - phone: u.phone || '', + phone, active: u.active, created: u.created, lastLogin: u.lastLogin diff --git a/server/api/members.get.js b/server/api/members.get.js index 6ce1b67..3a5fedd 100644 --- a/server/api/members.get.js +++ b/server/api/members.get.js @@ -1,4 +1,4 @@ -import { verifyToken } from '../utils/auth.js' +import { verifyToken, getUserFromToken, hasRole } from '../utils/auth.js' import { readMembers } from '../utils/members.js' import { readUsers, migrateUserRoles } from '../utils/auth.js' @@ -22,6 +22,8 @@ export default defineEventHandler(async (event) => { }) } + const currentUser = await getUserFromToken(token) + // Get manual members and registered users const manualMembers = await readMembers() const registeredUsers = await readUsers() @@ -141,9 +143,20 @@ export default defineEventHandler(async (event) => { // Sort by name mergedMembers.sort((a, b) => a.name.localeCompare(b.name)) + // Serverseitiger Datenschutz: Kontaktdaten nur für Vorstand + const isVorstand = hasRole(currentUser, 'vorstand') + const safeMembers = isVorstand + ? mergedMembers + : mergedMembers.map(m => ({ + ...m, + email: undefined, + phone: undefined, + address: undefined + })) + return { success: true, - members: mergedMembers + members: safeMembers } } catch (error) { console.error('Fehler beim Abrufen der Mitgliederliste:', error)