From 61f73c3421b975e582d5724b15c45cc72c79c858 Mon Sep 17 00:00:00 2001
From: Tiago Yamamoto <tiago.ribeiro@inventcloud.com.br>
Date: Fri, 26 Dec 2025 22:35:27 -0300
Subject: [PATCH] fix: allow buyers to view shipping settings and filter orders
 by role

- shipping_handler: Remove auth restriction on GetShippingSettings (buyers need to see sellers' shipping options)
- order_handler: Add role query param parsing (buyer/seller) to filter orders by requester's company ID

Fixes 500 errors on:
- GET /api/v1/shipping/settings/{vendor_id}
- GET /api/v1/orders?role=buyer
- GET /api/v1/orders?role=seller
---
 backend/internal/http/handler/order_handler.go  | 17 +++++++++++++++++
 .../internal/http/handler/shipping_handler.go   | 13 ++-----------
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/backend/internal/http/handler/order_handler.go b/backend/internal/http/handler/order_handler.go
index a9fd635..398ed3d 100644
--- a/backend/internal/http/handler/order_handler.go
+++ b/backend/internal/http/handler/order_handler.go
@@ -55,6 +55,23 @@ func (h *Handler) ListOrders(w http.ResponseWriter, r *http.Request) {
 	page, pageSize := parsePagination(r)
 	filter := domain.OrderFilter{}
 
+	// Parse role query param for filtering
+	requester, err := getRequester(r)
+	if err != nil {
+		writeError(w, http.StatusUnauthorized, err)
+		return
+	}
+
+	role := r.URL.Query().Get("role")
+	if role != "" && requester.CompanyID != nil {
+		switch role {
+		case "buyer":
+			filter.BuyerID = requester.CompanyID
+		case "seller":
+			filter.SellerID = requester.CompanyID
+		}
+	}
+
 	result, err := h.svc.ListOrders(r.Context(), filter, page, pageSize)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, err)
diff --git a/backend/internal/http/handler/shipping_handler.go b/backend/internal/http/handler/shipping_handler.go
index 1dd3150..875b35c 100644
--- a/backend/internal/http/handler/shipping_handler.go
+++ b/backend/internal/http/handler/shipping_handler.go
@@ -28,17 +28,8 @@ func (h *Handler) GetShippingSettings(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	requester, err := getRequester(r)
-	if err != nil {
-		writeError(w, http.StatusBadRequest, err)
-		return
-	}
-	if !strings.EqualFold(requester.Role, "Admin") {
-		if requester.CompanyID == nil || *requester.CompanyID != vendorID {
-			writeError(w, http.StatusForbidden, errors.New("not allowed to view shipping settings"))
-			return
-		}
-	}
+	// Any authenticated user can view shipping settings (needed for checkout)
+	// No role-based restriction here - shipping settings are public info for buyers
 
 	settings, err := h.svc.GetShippingSettings(r.Context(), vendorID)
 	if err != nil {