From 9a0acb89832e1d85176eea9861026e1d09f95592 Mon Sep 17 00:00:00 2001
From: BOHA <boha@boha.cz>
Date: Mon, 23 Mar 2026 13:12:22 +0100
Subject: [PATCH] fix: allow any authenticated user to list vehicles

Vehicle list (GET) now requires only authentication, not trips.vehicles
permission. Users with trips.view can see available cars in the trip
modal. Create/update/delete still require trips.vehicles.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/admin/vehicles.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/routes/admin/vehicles.ts b/src/routes/admin/vehicles.ts
index 73c8b3b..6b1b2d8 100644
--- a/src/routes/admin/vehicles.ts
+++ b/src/routes/admin/vehicles.ts
@@ -1,13 +1,13 @@
 import { FastifyInstance } from 'fastify';
 import prisma from '../../config/database';
-import { requirePermission } from '../../middleware/auth';
+import { requireAuth, requirePermission } from '../../middleware/auth';
 import { logAudit } from '../../services/audit';
 import { success, error, parseId } from '../../utils/response';
 import { parseBody } from '../../schemas/common';
 import { CreateVehicleSchema, UpdateVehicleSchema } from '../../schemas/vehicles.schema';
 
 export default async function vehiclesRoutes(fastify: FastifyInstance): Promise<void> {
-  fastify.get('/', { preHandler: requirePermission('trips.vehicles') }, async (_request, reply) => {
+  fastify.get('/', { preHandler: requireAuth }, async (_request, reply) => {
     const vehicles = await prisma.vehicles.findMany({ orderBy: { name: 'asc' } });
 
     // Compute current_km and trip_count from trips table