1.3.9

fix: trips admin shows only users with trips.record permission
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 08:56:14 +01:00 · 2026-03-28 08:56:14 +01:00
4 changed files with 44 additions and 12 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "app-ts",
-  "version": "1.3.8",
+  "version": "1.3.9",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "app-ts",
-      "version": "1.3.8",
+      "version": "1.3.9",
      "license": "ISC",
      "dependencies": {
        "@dnd-kit/core": "^6.3.1",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "app-ts",
-  "version": "1.3.8",
+  "version": "1.3.9",
  "description": "",
  "main": "dist/server.js",
  "scripts": {
--- a/src/admin/pages/TripsAdmin.tsx
+++ b/src/admin/pages/TripsAdmin.tsx
@@ -127,7 +127,7 @@ export default function TripsAdmin() {
      try {
        const [vRes, uRes, csRes] = await Promise.all([
          apiFetch(`${API_BASE}/vehicles`),
-          apiFetch(`${API_BASE}/users?limit=1000`),
+          apiFetch(`${API_BASE}/trips/users`),
          apiFetch(`${API_BASE}/company-settings`),
        ]);
        const vJson = await vRes.json();
@@ -136,14 +136,7 @@ export default function TripsAdmin() {
        if (vJson.success) setVehicles(vJson.data);
        if (csJson.success) setCompanyName(csJson.data.company_name || "");
        if (uJson.success) {
-          setUsers(
-            uJson.data.map(
-              (u: { id: number; first_name: string; last_name: string }) => ({
-                id: u.id,
-                name: `${u.first_name} ${u.last_name}`,
-              }),
-            ),
-          );
+          setUsers(uJson.data);
        }
      } catch {
        // silently fail, filters will just be empty
--- a/src/routes/admin/trips.ts
+++ b/src/routes/admin/trips.ts
@@ -66,6 +66,45 @@ export default async function tripsRoutes(
    });
  });

+  // GET /api/admin/trips/users — users with trips.record permission
+  fastify.get(
+    "/users",
+    { preHandler: requireAuth },
+    async (_request, reply) => {
+      const users = await prisma.users.findMany({
+        where: {
+          is_active: true,
+          roles: {
+            is: {
+              OR: [
+                { name: "admin" },
+                {
+                  role_permissions: {
+                    some: { permissions: { name: "trips.record" } },
+                  },
+                },
+              ],
+            },
+          },
+        },
+        select: {
+          id: true,
+          first_name: true,
+          last_name: true,
+          username: true,
+        },
+        orderBy: { last_name: "asc" },
+      });
+      return success(
+        reply,
+        users.map((u) => ({
+          id: u.id,
+          name: `${u.first_name} ${u.last_name}`.trim() || u.username,
+        })),
+      );
+    },
+  );
+
  // GET /api/admin/trips/print — print data for trip report
  fastify.get(
    "/print",
Author	SHA1	Message	Date
BOHA	79b2fa5570	1.3.9	2026-03-28 08:56:14 +01:00
BOHA	35fa172d36	fix: trips admin shows only users with trips.record permission Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 08:56:14 +01:00