From 64ff8eaa91ee9bb2511b5e5315613b5157eb26e1 Mon Sep 17 00:00:00 2001
From: Jukka Lampikoski <jukka@lampikoski.com>
Date: Tue, 10 Mar 2026 11:34:18 +0200
Subject: [PATCH] Fix company access: sync session from users.json on every
 check_auth

- check_auth always reads fresh company permissions from users.json
- user_update updates session immediately when editing own permissions
- Prevents stale session showing tickets from companies user lost access to

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 api.php | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/api.php b/api.php
index 5cf963f..c2981f4 100644
--- a/api.php
+++ b/api.php
@@ -1059,17 +1059,16 @@ switch ($action) {
 
     case 'check_auth':
         if (isset($_SESSION['user_id'])) {
-            // Fallback: jos session ei sisällä company-dataa (vanha sessio ennen migraatiota)
-            if (empty($_SESSION['companies'])) {
-                $users = loadUsers();
-                foreach ($users as $u) {
-                    if ($u['id'] === $_SESSION['user_id']) {
-                        $_SESSION['companies'] = $u['companies'] ?? [];
-                        if (!empty($u['companies'])) {
-                            $_SESSION['company_id'] = $u['companies'][0];
-                        }
-                        break;
+            // Synkronoi aina tuoreet yritysoikeudet users.json:sta sessioon
+            $users = loadUsers();
+            foreach ($users as $u) {
+                if ($u['id'] === $_SESSION['user_id']) {
+                    $_SESSION['companies'] = $u['companies'] ?? [];
+                    // Varmista aktiivinen yritys on sallittu
+                    if (!in_array($_SESSION['company_id'] ?? '', $_SESSION['companies'])) {
+                        $_SESSION['company_id'] = !empty($_SESSION['companies']) ? $_SESSION['companies'][0] : '';
                     }
+                    break;
                 }
             }
             // Hae yritysten nimet
@@ -1245,6 +1244,16 @@ switch ($action) {
                 }
                 $found = true;
                 addLog('user_update', '', '', "Muokkasi käyttäjää: {$u['username']}");
+                // Päivitä sessio jos muokattiin kirjautunutta käyttäjää
+                if ($u['id'] === $_SESSION['user_id']) {
+                    $_SESSION['companies'] = $u['companies'] ?? [];
+                    if (!empty($u['companies']) && !in_array($_SESSION['company_id'] ?? '', $u['companies'])) {
+                        $_SESSION['company_id'] = $u['companies'][0];
+                    }
+                    if (empty($u['companies'])) {
+                        $_SESSION['company_id'] = '';
+                    }
+                }
                 $safe = $u;
                 unset($safe['password_hash']);
                 echo json_encode($safe);