From 59c0fe74491f971f8355c7d02ec9466f44d6901e Mon Sep 17 00:00:00 2001 From: Tiago Yamamoto Date: Fri, 26 Dec 2025 22:37:23 -0300 Subject: [PATCH] fix: filter users by company for ALL non-Admin roles Previously only 'Seller' role was filtered, but Owner/Colaborador/Entregador roles were not filtered, causing global admin to appear in pharmacy user lists. --- backend/internal/http/handler/user_handler.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/backend/internal/http/handler/user_handler.go b/backend/internal/http/handler/user_handler.go index ca0d4dc..4729c0c 100644 --- a/backend/internal/http/handler/user_handler.go +++ b/backend/internal/http/handler/user_handler.go @@ -92,9 +92,10 @@ func (h *Handler) ListUsers(w http.ResponseWriter, r *http.Request) { companyFilter = &id } - if strings.EqualFold(requester.Role, "Seller") { + // Non-admin users can only see users from their own company + if !strings.EqualFold(requester.Role, "Admin") { if requester.CompanyID == nil { - writeError(w, http.StatusBadRequest, errors.New("seller must include X-Company-ID header")) + writeError(w, http.StatusBadRequest, errors.New("user must have a company associated")) return } companyFilter = requester.CompanyID