rede5/saveinmed
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: filter users by company for ALL non-Admin roles

Browse source 
Previously only 'Seller' role was filtered, but Owner/Colaborador/Entregador roles
were not filtered, causing global admin to appear in pharmacy user lists.
This commit is contained in:
Tiago Yamamoto 2025-12-26 22:37:23 -03:00
parent 61f73c3421
commit 59c0fe7449
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
backend/internal/http/handler/user_handler.go
View file

@ -92,9 +92,10 @@ func (h *Handler) ListUsers(w http.ResponseWriter, r *http.Request) {
companyFilter = &id
}
if strings.EqualFold(requester.Role, "Seller") {
// Non-admin users can only see users from their own company
if !strings.EqualFold(requester.Role, "Admin") {
if requester.CompanyID == nil {
writeError(w, http.StatusBadRequest, errors.New("seller must include X-Company-ID header"))
writeError(w, http.StatusBadRequest, errors.New("user must have a company associated"))
return
}
companyFilter = requester.CompanyID