120 lines
3.4 KiB
JavaScript
120 lines
3.4 KiB
JavaScript
import fs from 'fs/promises'
|
|
import path from 'path'
|
|
import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
|
|
import { randomUUID } from 'crypto'
|
|
|
|
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
|
// filename is always a hardcoded constant (e.g., 'newsletter.json'), never user input
|
|
const getDataPath = (filename) => {
|
|
const cwd = process.cwd()
|
|
if (cwd.endsWith('.output')) {
|
|
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
|
return path.join(cwd, '../server/data', filename)
|
|
}
|
|
// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
|
|
return path.join(cwd, 'server/data', filename)
|
|
}
|
|
|
|
const NEWSLETTERS_FILE = getDataPath('newsletters.json')
|
|
|
|
async function readNewsletters() {
|
|
try {
|
|
const data = await fs.readFile(NEWSLETTERS_FILE, 'utf-8')
|
|
return JSON.parse(data)
|
|
} catch (error) {
|
|
if (error.code === 'ENOENT') {
|
|
return []
|
|
}
|
|
throw error
|
|
}
|
|
}
|
|
|
|
async function writeNewsletters(newsletters) {
|
|
await fs.writeFile(NEWSLETTERS_FILE, JSON.stringify(newsletters, null, 2), 'utf-8')
|
|
}
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
try {
|
|
// Authentifizierung prüfen
|
|
const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
|
|
|
|
if (!token) {
|
|
throw createError({
|
|
statusCode: 401,
|
|
statusMessage: 'Nicht authentifiziert'
|
|
})
|
|
}
|
|
|
|
const user = await getUserFromToken(token)
|
|
if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
|
|
throw createError({
|
|
statusCode: 403,
|
|
statusMessage: 'Keine Berechtigung'
|
|
})
|
|
}
|
|
|
|
const body = await readBody(event)
|
|
const { title, content, type, targetGroup, sendToExternal } = body
|
|
|
|
if (!title || !type) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: 'Titel und Typ sind erforderlich'
|
|
})
|
|
}
|
|
|
|
if (type === 'subscription' && sendToExternal === undefined) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: 'sendToExternal ist für Abonnenten-Newsletter erforderlich'
|
|
})
|
|
}
|
|
|
|
if (type === 'group' && !targetGroup) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: 'Zielgruppe ist für Gruppen-Newsletter erforderlich'
|
|
})
|
|
}
|
|
|
|
const newsletters = await readNewsletters()
|
|
|
|
const newNewsletter = {
|
|
id: randomUUID(),
|
|
title,
|
|
content,
|
|
type, // 'subscription' oder 'group'
|
|
targetGroup: type === 'group' ? targetGroup : null, // 'alle', 'erwachsene', 'nachwuchs', 'mannschaftsspieler', 'vorstand'
|
|
sendToExternal: type === 'subscription' ? sendToExternal : false, // true = auch extern, false = nur intern
|
|
status: 'draft', // 'draft', 'sent'
|
|
createdAt: new Date().toISOString(),
|
|
createdBy: user.id,
|
|
sentAt: null,
|
|
sentTo: null
|
|
}
|
|
|
|
newsletters.push(newNewsletter)
|
|
await writeNewsletters(newsletters)
|
|
|
|
return {
|
|
success: true,
|
|
message: 'Newsletter erfolgreich erstellt',
|
|
newsletter: {
|
|
id: newNewsletter.id,
|
|
title: newNewsletter.title,
|
|
type: newNewsletter.type
|
|
}
|
|
}
|
|
} catch (error) {
|
|
console.error('Fehler beim Erstellen des Newsletters:', error)
|
|
if (error.statusCode) {
|
|
throw error
|
|
}
|
|
throw createError({
|
|
statusCode: 500,
|
|
statusMessage: 'Fehler beim Erstellen des Newsletters'
|
|
})
|
|
}
|
|
})
|
|
|