Fix company access: sync session from users.json on every check_auth

- check_auth always reads fresh company permissions from users.json - user_update updates session immediately when editing own permissions - Prevents stale session showing tickets from companies user lost access to Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 11:34:18 +02:00
parent 9973485cb4
commit 64ff8eaa91
1 changed files with 19 additions and 10 deletions
--- a/api.php
+++ b/api.php
@@ -1059,19 +1059,18 @@ switch ($action) {

    case 'check_auth':
        if (isset($_SESSION['user_id'])) {
-            // Fallback: jos session ei sisällä company-dataa (vanha sessio ennen migraatiota)
-            if (empty($_SESSION['companies'])) {
+            // Synkronoi aina tuoreet yritysoikeudet users.json:sta sessioon
            $users = loadUsers();
            foreach ($users as $u) {
                if ($u['id'] === $_SESSION['user_id']) {
                    $_SESSION['companies'] = $u['companies'] ?? [];
-                        if (!empty($u['companies'])) {
-                            $_SESSION['company_id'] = $u['companies'][0];
+                    // Varmista aktiivinen yritys on sallittu
+                    if (!in_array($_SESSION['company_id'] ?? '', $_SESSION['companies'])) {
+                        $_SESSION['company_id'] = !empty($_SESSION['companies']) ? $_SESSION['companies'][0] : '';
                    }
                    break;
                }
            }
-            }
            // Hae yritysten nimet
            $userCompanyIds = $_SESSION['companies'] ?? [];
            $allCompanies = loadCompanies();
@@ -1245,6 +1244,16 @@ switch ($action) {
                }
                $found = true;
                addLog('user_update', '', '', "Muokkasi käyttäjää: {$u['username']}");
+                // Päivitä sessio jos muokattiin kirjautunutta käyttäjää
+                if ($u['id'] === $_SESSION['user_id']) {
+                    $_SESSION['companies'] = $u['companies'] ?? [];
+                    if (!empty($u['companies']) && !in_array($_SESSION['company_id'] ?? '', $u['companies'])) {
+                        $_SESSION['company_id'] = $u['companies'][0];
+                    }
+                    if (empty($u['companies'])) {
+                        $_SESSION['company_id'] = '';
+                    }
+                }
                $safe = $u;
                unset($safe['password_hash']);
                echo json_encode($safe);