v1.2.2: Fix Nominatim CSP, Tenant Admin kann eigene Symbole hochladen

2026-02-24 22:43:05 +01:00
parent f480905bb9
commit 8ddeb7b377
5 changed files with 21 additions and 18 deletions
--- a/src/app/api/admin/icons/upload/route.ts
+++ b/src/app/api/admin/icons/upload/route.ts
@@ -10,7 +10,7 @@ const MAX_SIZE = 5 * 1024 * 1024 // 5MB
 export async function POST(req: NextRequest) {
  try {
    const user = await getSession()
-    if (!user || !isAdmin(user.role)) {
+    if (!user || (user.role !== 'SERVER_ADMIN' && user.role !== 'TENANT_ADMIN')) {
      return NextResponse.json({ error: 'Nicht autorisiert' }, { status: 403 })
    }

@@ -55,27 +55,25 @@ export async function POST(req: NextRequest) {

    // Generate safe filename
    const ext = file.name.split('.').pop()?.toLowerCase() || 'png'
+    const isTenantAdmin = user.role === 'TENANT_ADMIN'
+    const prefix = isTenantAdmin ? `tenant-${user.tenantId}/icons` : 'icons'
    const safeFileName = `${uuidv4()}.${ext}`
-    const fileKey = `icons/${safeFileName}`
+    const fileKey = `${prefix}/${safeFileName}`

    // Upload to MinIO
    const buffer = Buffer.from(await file.arrayBuffer())
    await uploadFile(fileKey, buffer, file.type)

-    // TENANT_ADMIN: icons get tenantId. SERVER_ADMIN: global icons (tenantId=null)
-    const tenantId = user.role === 'SERVER_ADMIN' ? null : user.tenantId || null
-
-    // Create database entry
+    // Save to DB
    const icon = await (prisma as any).iconAsset.create({
      data: {
        name: name.trim(),
-        fileKey,
-        mimeType: file.type,
        categoryId,
        iconType: iconType as any,
-        isSystem: false,
-        isActive: true,
-        tenantId,
+        fileKey,
+        mimeType: file.type,
+        isSystem: !isTenantAdmin, // true für Server Admin, false für Tenant Admin
+        tenantId: isTenantAdmin ? user.tenantId : null,
        ownerId: user.id,
      },
      include: {
--- a/src/app/api/icons/route.ts
+++ b/src/app/api/icons/route.ts
@@ -32,7 +32,7 @@ export async function GET() {
        icons: {
          where: user?.tenantId
            ? { isActive: true, OR: [{ tenantId: null }, { tenantId: user.tenantId }] }
-            : { isActive: true },
+            : { isActive: true, tenantId: null },
          orderBy: { name: 'asc' },
        },
      },