Enhance user contact data visibility based on role permissions

This commit introduces role-based access control for user contact information in the CMS. It updates the user list display to show email and phone details only to users with the 'vorstand' role, while masking this information for others. Additionally, it modifies the API endpoints to ensure that contact data is only returned for authorized users, improving data privacy and security.
2026-02-06 10:12:37 +01:00
parent 1474591137
commit 8045542f8f
3 changed files with 51 additions and 9 deletions
--- a/server/api/members.get.js
+++ b/server/api/members.get.js
@@ -1,4 +1,4 @@
-import { verifyToken } from '../utils/auth.js'
+import { verifyToken, getUserFromToken, hasRole } from '../utils/auth.js'
 import { readMembers } from '../utils/members.js'
 import { readUsers, migrateUserRoles } from '../utils/auth.js'

@@ -22,6 +22,8 @@ export default defineEventHandler(async (event) => {
      })
    }

+    const currentUser = await getUserFromToken(token)
+
    // Get manual members and registered users
    const manualMembers = await readMembers()
    const registeredUsers = await readUsers()
@@ -141,9 +143,20 @@ export default defineEventHandler(async (event) => {
    // Sort by name
    mergedMembers.sort((a, b) => a.name.localeCompare(b.name))

+    // Serverseitiger Datenschutz: Kontaktdaten nur für Vorstand
+    const isVorstand = hasRole(currentUser, 'vorstand')
+    const safeMembers = isVorstand
+      ? mergedMembers
+      : mergedMembers.map(m => ({
+          ...m,
+          email: undefined,
+          phone: undefined,
+          address: undefined
+        }))
+
    return {
      success: true,
-      members: mergedMembers
+      members: safeMembers
    }
  } catch (error) {
    console.error('Fehler beim Abrufen der Mitgliederliste:', error)