From 35fa172d36a9873eedd00a0e99e6cc991fb4d3eb Mon Sep 17 00:00:00 2001
From: BOHA <boha@boha.cz>
Date: Sat, 28 Mar 2026 08:56:14 +0100
Subject: [PATCH] fix: trips admin shows only users with trips.record
 permission

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/admin/pages/TripsAdmin.tsx | 11 ++--------
 src/routes/admin/trips.ts      | 39 ++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/src/admin/pages/TripsAdmin.tsx b/src/admin/pages/TripsAdmin.tsx
index 57a2ceb..26a0cd1 100644
--- a/src/admin/pages/TripsAdmin.tsx
+++ b/src/admin/pages/TripsAdmin.tsx
@@ -127,7 +127,7 @@ export default function TripsAdmin() {
       try {
         const [vRes, uRes, csRes] = await Promise.all([
           apiFetch(`${API_BASE}/vehicles`),
-          apiFetch(`${API_BASE}/users?limit=1000`),
+          apiFetch(`${API_BASE}/trips/users`),
           apiFetch(`${API_BASE}/company-settings`),
         ]);
         const vJson = await vRes.json();
@@ -136,14 +136,7 @@ export default function TripsAdmin() {
         if (vJson.success) setVehicles(vJson.data);
         if (csJson.success) setCompanyName(csJson.data.company_name || "");
         if (uJson.success) {
-          setUsers(
-            uJson.data.map(
-              (u: { id: number; first_name: string; last_name: string }) => ({
-                id: u.id,
-                name: `${u.first_name} ${u.last_name}`,
-              }),
-            ),
-          );
+          setUsers(uJson.data);
         }
       } catch {
         // silently fail, filters will just be empty
diff --git a/src/routes/admin/trips.ts b/src/routes/admin/trips.ts
index 7a17fe8..9b4cd56 100644
--- a/src/routes/admin/trips.ts
+++ b/src/routes/admin/trips.ts
@@ -66,6 +66,45 @@ export default async function tripsRoutes(
     });
   });
 
+  // GET /api/admin/trips/users — users with trips.record permission
+  fastify.get(
+    "/users",
+    { preHandler: requireAuth },
+    async (_request, reply) => {
+      const users = await prisma.users.findMany({
+        where: {
+          is_active: true,
+          roles: {
+            is: {
+              OR: [
+                { name: "admin" },
+                {
+                  role_permissions: {
+                    some: { permissions: { name: "trips.record" } },
+                  },
+                },
+              ],
+            },
+          },
+        },
+        select: {
+          id: true,
+          first_name: true,
+          last_name: true,
+          username: true,
+        },
+        orderBy: { last_name: "asc" },
+      });
+      return success(
+        reply,
+        users.map((u) => ({
+          id: u.id,
+          name: `${u.first_name} ${u.last_name}`.trim() || u.username,
+        })),
+      );
+    },
+  );
+
   // GET /api/admin/trips/print — print data for trip report
   fastify.get(
     "/print",