1.4.0

Admins were seeing all requests on their own requests page.
Added mine=1 param to force user_id filter regardless of role.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "app-ts",
-  "version": "1.3.5",
+  "version": "1.4.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "app-ts",
-      "version": "1.3.5",
+      "version": "1.4.0",
       "license": "ISC",
       "dependencies": {
         "@dnd-kit/core": "^6.3.1",
@@ -2089,9 +2089,9 @@
       }
     },
     "node_modules/brace-expansion": {
-      "version": "5.0.4",
+      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
-      "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^4.0.2"
@@ -3086,9 +3086,9 @@
       "license": "BSD-3-Clause"
     },
     "node_modules/fastify": {
-      "version": "5.8.2",
+      "version": "5.8.4",
-      "resolved": "https://registry.npmjs.org/fastify/-/fastify-5.8.2.tgz",
+      "resolved": "https://registry.npmjs.org/fastify/-/fastify-5.8.4.tgz",
-      "integrity": "sha512-lZmt3navvZG915IE+f7/TIVamxIwmBd+OMB+O9WBzcpIwOo6F0LTh0sluoMFk5VkrKTvvrwIaoJPkir4Z+jtAg==",
+      "integrity": "sha512-sa42J1xylbBAYUWALSBoyXKPDUvM3OoNOibIefA+Oha57FryXKKCZarA1iDntOCWp3O35voZLuDg2mdODXtPzQ==",
       "funding": [
         {
           "type": "github",
@@ -4282,9 +4282,9 @@
       "license": "MIT"
     },
     "node_modules/nodemailer": {
-      "version": "8.0.2",
+      "version": "8.0.4",
-      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.2.tgz",
+      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.4.tgz",
-      "integrity": "sha512-zbj002pZAIkWQFxyAaqoxvn+zoIwRnS40hgjqTXudKOOJkiFFgBeNqjgD3/YCR12sZnrghWYBY+yP1ZucdDRpw==",
+      "integrity": "sha512-k+jf6N8PfQJ0Fe8ZhJlgqU5qJU44Lpvp2yvidH3vp1lPnVQMgi4yEEMPXg5eJS1gFIJTVq1NHBk7Ia9ARdSBdQ==",
       "license": "MIT-0",
       "engines": {
         "node": ">=6.0.0"
@@ -4540,9 +4540,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
+      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "app-ts",
-  "version": "1.3.5",
+  "version": "1.4.0",
   "description": "",
   "main": "dist/server.js",
   "scripts": {

src/admin/hooks/useAttendanceAdmin.ts

@@ -561,7 +561,9 @@ export default function useAttendanceAdmin({ alert }: AlertContext) {
   useEffect(() => {
     const loadUsers = async () => {
       try {
-        const response = await apiFetch(`${API_BASE}/users?limit=1000`);
+        const response = await apiFetch(
+          `${API_BASE}/attendance?action=attendance_users`,
+        );
         const result = await response.json();
         if (result.success) {
           const apiUsers: ApiUser[] = result.data;

src/admin/pages/Dashboard.tsx

@@ -493,7 +493,7 @@ export default function Dashboard() {
                     </span>
                   </div>
                   <div className="dash-stat-row">
-                    <span>Prošlé</span>
+                    <span>Zneplatněné</span>
                     <span className="admin-badge admin-badge-warning">
                       {dashData.offers.expired_count}
                     </span>

src/admin/pages/LeaveRequests.tsx

@@ -61,7 +61,7 @@ export default function LeaveRequests() {
 
   const fetchRequests = useCallback(async () => {
     try {
-      const response = await apiFetch(`${API_BASE}/leave-requests`);
+      const response = await apiFetch(`${API_BASE}/leave-requests?mine=1`);
       if (response.status === 401) return;
       const result = await response.json();
       if (result.success) {

src/admin/pages/TripsAdmin.tsx

@@ -127,7 +127,7 @@ export default function TripsAdmin() {
       try {
         const [vRes, uRes, csRes] = await Promise.all([
           apiFetch(`${API_BASE}/vehicles`),
-          apiFetch(`${API_BASE}/users?limit=1000`),
+          apiFetch(`${API_BASE}/trips/users`),
           apiFetch(`${API_BASE}/company-settings`),
         ]);
         const vJson = await vRes.json();
@@ -136,14 +136,7 @@ export default function TripsAdmin() {
         if (vJson.success) setVehicles(vJson.data);
         if (csJson.success) setCompanyName(csJson.data.company_name || "");
         if (uJson.success) {
-          setUsers(
+          setUsers(uJson.data);
-            uJson.data.map(
-              (u: { id: number; first_name: string; last_name: string }) => ({
-                id: u.id,
-                name: `${u.first_name} ${u.last_name}`,
-              }),
-            ),
-          );
         }
       } catch {
         // silently fail, filters will just be empty

src/routes/admin/attendance.ts

@@ -1,4 +1,5 @@
 import { FastifyInstance } from "fastify";
+import prisma from "../../config/database";
 import { requireAuth, requirePermission } from "../../middleware/auth";
 import { logAudit } from "../../services/audit";
 import { success, error, parseId } from "../../utils/response";
@@ -132,6 +133,38 @@ export default async function attendanceRoutes(
       return reply.send({ success: true, data });
     }
 
+    // --- action=attendance_users: users with attendance.record permission ---
+    if (action === "attendance_users") {
+      const users = await prisma.users.findMany({
+        where: {
+          is_active: true,
+          roles: {
+            is: {
+              OR: [
+                { name: "admin" },
+                {
+                  role_permissions: {
+                    some: { permissions: { name: "attendance.record" } },
+                  },
+                },
+              ],
+            },
+          },
+        },
+        select: { id: true, first_name: true, last_name: true, username: true },
+        orderBy: { last_name: "asc" },
+      });
+      return reply.send({
+        success: true,
+        data: users.map((u) => ({
+          id: u.id,
+          first_name: u.first_name,
+          last_name: u.last_name,
+          username: u.username,
+        })),
+      });
+    }
+
     // --- action=projects: active projects for attendance project switching ---
     if (action === "projects") {
       const data = await attendanceService.getActiveProjects();

src/routes/admin/dashboard.ts

@@ -142,8 +142,8 @@ export default async function dashboardRoutes(
       const [openCount, convertedCount, expiredCount, createdThisMonth] =
         await Promise.all([
           prisma.quotations.count({ where: { status: "active" } }),
-          prisma.quotations.count({ where: { status: "converted" } }),
+          prisma.quotations.count({ where: { status: "ordered" } }),
-          prisma.quotations.count({ where: { status: "expired" } }),
+          prisma.quotations.count({ where: { status: "invalidated" } }),
           prisma.quotations.count({
             where: { created_at: { gte: monthStart, lt: monthEnd } },
           }),

src/routes/admin/leave-requests.ts

@@ -29,7 +29,7 @@ export default async function leaveRequestsRoutes(
     const isAdmin = authData.permissions.includes("attendance.approve");
 
     const where: Record<string, unknown> = {};
-    if (!isAdmin) where.user_id = authData.userId;
+    if (!isAdmin || query.mine === "1") where.user_id = authData.userId;
     else if (query.user_id) where.user_id = Number(query.user_id);
     if (query.status) where.status = String(query.status);
 

src/routes/admin/trips.ts

@@ -66,6 +66,45 @@ export default async function tripsRoutes(
     });
   });
 
+  // GET /api/admin/trips/users — users with trips.record permission
+  fastify.get(
+    "/users",
+    { preHandler: requireAuth },
+    async (_request, reply) => {
+      const users = await prisma.users.findMany({
+        where: {
+          is_active: true,
+          roles: {
+            is: {
+              OR: [
+                { name: "admin" },
+                {
+                  role_permissions: {
+                    some: { permissions: { name: "trips.record" } },
+                  },
+                },
+              ],
+            },
+          },
+        },
+        select: {
+          id: true,
+          first_name: true,
+          last_name: true,
+          username: true,
+        },
+        orderBy: { last_name: "asc" },
+      });
+      return success(
+        reply,
+        users.map((u) => ({
+          id: u.id,
+          name: `${u.first_name} ${u.last_name}`.trim() || u.username,
+        })),
+      );
+    },
+  );
+
   // GET /api/admin/trips/print — print data for trip report
   fastify.get(
     "/print",

src/schemas/users.schema.ts

@@ -16,7 +16,10 @@ export const CreateUserSchema = z.object({
 export const UpdateUserSchema = z.object({
   username: z.string().optional(),
   email: z.string().email("Neplatný formát e-mailu").optional(),
-  password: z.string().min(8, "Heslo musí mít alespoň 8 znaků").optional(),
+  password: z.preprocess(
+    (v) => (v === "" ? undefined : v),
+    z.string().min(8, "Heslo musí mít alespoň 8 znaků").optional(),
+  ),
   first_name: z.string().optional(),
   last_name: z.string().optional(),
   role_id: z.union([z.number(), z.string(), z.null()]).optional(),

src/services/attendance.service.ts

@@ -4,6 +4,29 @@ import { getBusinessDaysInMonth } from "../utils/czech-holidays";
 import { localDateStr } from "../utils/date";
 import { getSystemSettings } from "./system-settings";
 
+/** Get active users whose role has attendance.record permission (or admin role) */
+async function getAttendanceUsers() {
+  return prisma.users.findMany({
+    where: {
+      is_active: true,
+      roles: {
+        is: {
+          OR: [
+            { name: "admin" },
+            {
+              role_permissions: {
+                some: { permissions: { name: "attendance.record" } },
+              },
+            },
+          ],
+        },
+      },
+    },
+    select: { id: true, first_name: true, last_name: true },
+    orderBy: { last_name: "asc" },
+  });
+}
+
 type AttendanceWithRelations = Prisma.attendanceGetPayload<{
   include: {
     users: { select: { id: true; first_name: true; last_name: true } };
@@ -421,11 +444,7 @@ export async function switchProject(userId: number, projectId: number | null) {
 }
 
 export async function getBalances(year: number) {
-  const users = await prisma.users.findMany({
+  const users = await getAttendanceUsers();
-    where: { is_active: true },
-    select: { id: true, first_name: true, last_name: true },
-    orderBy: { last_name: "asc" },
-  });
 
   const balances: Record<
     string,
@@ -463,11 +482,7 @@ export async function getBalances(year: number) {
 }
 
 export async function getWorkfund(year: number) {
-  const users = await prisma.users.findMany({
+  const users = await getAttendanceUsers();
-    where: { is_active: true },
-    select: { id: true, first_name: true, last_name: true },
-    orderBy: { last_name: "asc" },
-  });
 
   const now = new Date();
   const currentYear = now.getFullYear();
@@ -734,11 +749,7 @@ export async function getPrintData(
   const monthStart = new Date(yr, mo - 1, 1);
   const monthEnd = new Date(yr, mo, 0, 23, 59, 59);
 
-  const users = await prisma.users.findMany({
+  const users = await getAttendanceUsers();
-    where: { is_active: true },
-    select: { id: true, first_name: true, last_name: true },
-    orderBy: { last_name: "asc" },
-  });
 
   const where: Record<string, unknown> = {
     shift_date: { gte: monthStart, lte: monthEnd },