Skip to content

Commit 1e287c4

Browse files
fix(auth): resolve Prisma alunoId vs Auth UUID in delete+update authorization
deleteTreinoAction and updateTreinoDayAction compared treino.alunoId (Prisma ID) against user.id (Auth UUID), always mismatching after PR #174 FK fix. Resolve aluno.id by email before auth check. Co-Authored-By: Claude <noreply@anthropic.com>
1 parent e7900ca commit 1e287c4

1 file changed

Lines changed: 8 additions & 2 deletions

File tree

src/lib/actions/treinos.ts

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -243,10 +243,13 @@ export async function updateTreinoDayAction(treinoId: string, diaSemana: number
243243
select: { instrutorId: true, alunoId: true },
244244
});
245245

246+
// Resolve aluno.id from Auth email — treino.alunoId is Prisma ID, user.id is Auth UUID
247+
const alunoConsulta = await prisma.aluno.findUnique({ where: { email: user.email ?? '' } });
248+
246249
if (
247250
funcData?.role !== 'GERENTE' &&
248251
treino?.instrutorId !== user.id &&
249-
treino?.alunoId !== user.id
252+
treino?.alunoId !== alunoConsulta?.id
250253
) {
251254
return { success: false, error: 'Acesso não autorizado' };
252255
}
@@ -286,10 +289,13 @@ export async function deleteTreinoAction(treinoId: string) {
286289
select: { instrutorId: true, alunoId: true },
287290
});
288291

292+
// Resolve aluno.id from Auth email — treino.alunoId is Prisma ID, user.id is Auth UUID
293+
const alunoConsulta = await prisma.aluno.findUnique({ where: { email: user.email ?? '' } });
294+
289295
if (
290296
funcData?.role !== 'GERENTE' &&
291297
treino?.instrutorId !== user.id &&
292-
treino?.alunoId !== user.id
298+
treino?.alunoId !== alunoConsulta?.id
293299
) {
294300
return { success: false, error: 'Acesso não autorizado' };
295301
}

0 commit comments

Comments
 (0)