From f5fdf047ed6ebbfdc4b5daf6a73408ec2d83c65b Mon Sep 17 00:00:00 2001 From: marcin2121 <13873718+marcin2121@users.noreply.github.com> Date: Tue, 31 Mar 2026 19:35:04 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20fix:=20Secure=20admin=20server?= =?UTF-8?q?=20actions=20by=20enforcing=20role=20checks?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Removed `SUPABASE_SERVICE_ROLE_KEY` fallback to `NEXT_PUBLIC_SUPABASE_ANON_KEY` - Added check for `app_metadata.role === 'admin'` before allowing the action - Used `createServerClient` to authenticate the current user correctly Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> --- app/actions/get-admin-users.ts | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/app/actions/get-admin-users.ts b/app/actions/get-admin-users.ts index ebd4e98..0c2058d 100644 --- a/app/actions/get-admin-users.ts +++ b/app/actions/get-admin-users.ts @@ -1,9 +1,19 @@ 'use server' import { createClient } from '@supabase/supabase-js'; +import { createClient as createServerClient } from '@/lib/supabase/server'; export async function getAdminUsersDetails() { - const adminKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY; + const supabaseServer = await createServerClient(); + if (!supabaseServer) { + return { success: false, extraData: {}, error: 'Brak połączenia z bazą.' }; + } + const { data: { user } } = await supabaseServer.auth.getUser(); + if (!user || user.app_metadata?.role !== 'admin') { + return { success: false, extraData: {}, error: 'Brak uprawnień administratora.' }; + } + + const adminKey = process.env.SUPABASE_SERVICE_ROLE_KEY; const url = process.env.NEXT_PUBLIC_SUPABASE_URL; if (!adminKey || !url) { if (process.env.NODE_ENV !== 'production' || !process.env.CI) { @@ -43,7 +53,16 @@ export async function getAdminUsersDetails() { // 🚀 OMIJA Zabezpieczenia RLS do sczytania cudzych kuponów z bazy export async function getAdminUserCoupons(userId: string) { - const adminKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY; + const supabaseServer = await createServerClient(); + if (!supabaseServer) { + return { success: false, coupons: [], error: 'Brak połączenia z bazą.' }; + } + const { data: { user } } = await supabaseServer.auth.getUser(); + if (!user || user.app_metadata?.role !== 'admin') { + return { success: false, coupons: [], error: 'Brak uprawnień administratora.' }; + } + + const adminKey = process.env.SUPABASE_SERVICE_ROLE_KEY; const url = process.env.NEXT_PUBLIC_SUPABASE_URL; if (!adminKey || !url) { return { success: false, coupons: [], error: 'Brak kluczy do bazy.' };