jukka/intra.noxus.fi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix company access: sync session from users.json on every check_auth

Browse Source 
- check_auth always reads fresh company permissions from users.json
- user_update updates session immediately when editing own permissions
- Prevents stale session showing tickets from companies user lost access to

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jukka Lampikoski
2026-03-10 11:34:18 +02:00
parent 9973485cb4
commit 64ff8eaa91
1 changed files with 19 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
api.php
View File

@@ -1059,17 +1059,16 @@ switch ($action) {
case 'check_auth': case 'check_auth':
if (isset($_SESSION['user_id'])) { if (isset($_SESSION['user_id'])) {
// Fallback: jos session ei sisällä company-dataa (vanha sessio ennen migraatiota) // Synkronoi aina tuoreet yritysoikeudet users.json:sta sessioon
if (empty($_SESSION['companies'])) { $users = loadUsers();
$users = loadUsers(); foreach ($users as $u) {
foreach ($users as $u) { if ($u['id'] === $_SESSION['user_id']) {
if ($u['id'] === $_SESSION['user_id']) { $_SESSION['companies'] = $u['companies'] ?? [];
$_SESSION['companies'] = $u['companies'] ?? []; // Varmista aktiivinen yritys on sallittu
if (!empty($u['companies'])) { if (!in_array($_SESSION['company_id'] ?? '', $_SESSION['companies'])) {
$_SESSION['company_id'] = $u['companies'][0]; $_SESSION['company_id'] = !empty($_SESSION['companies']) ? $_SESSION['companies'][0] : '';
}
break;
} }
break;
} }
} }
// Hae yritysten nimet // Hae yritysten nimet
@@ -1245,6 +1244,16 @@ switch ($action) {
} }
$found = true; $found = true;
addLog('user_update', '', '', "Muokkasi käyttäjää: {$u['username']}"); addLog('user_update', '', '', "Muokkasi käyttäjää: {$u['username']}");
// Päivitä sessio jos muokattiin kirjautunutta käyttäjää
if ($u['id'] === $_SESSION['user_id']) {
$_SESSION['companies'] = $u['companies'] ?? [];
if (!empty($u['companies']) && !in_array($_SESSION['company_id'] ?? '', $u['companies'])) {
$_SESSION['company_id'] = $u['companies'][0];
}
if (empty($u['companies'])) {
$_SESSION['company_id'] = '';
}
}
$safe = $u; $safe = $u;
unset($safe['password_hash']); unset($safe['password_hash']);
echo json_encode($safe); echo json_encode($safe);