import { NextRequest, NextResponse } from "next/server"; import { prisma } from "@/lib/prisma"; import { hashPassword } from "@/lib/auth"; import { requireAuth, requireRole, forbidden } from "@/lib/api-auth"; export async function GET(req: NextRequest) { const user = await requireAuth(); if (user instanceof NextResponse) return user; const { searchParams } = new URL(req.url); const establishmentId = searchParams.get("establishmentId"); const role = searchParams.get("role"); if (user.role !== "superadmin") { if (establishmentId && establishmentId !== user.establishmentId) { return forbidden(); } } const where: any = {}; if (establishmentId) where.establishmentId = establishmentId; else if (user.role !== "superadmin") where.establishmentId = user.establishmentId; if (role) where.role = role; const users = await prisma.user.findMany({ where, orderBy: { createdAt: "desc" }, }); return NextResponse.json(users); } export async function POST(req: NextRequest) { const user = await requireAuth(); if (user instanceof NextResponse) return user; const denied = requireRole(user, "superadmin", "admin"); if (denied) return denied; const body = await req.json(); const { email, password, role, establishmentId } = body; if (!email || !password || !role) { return NextResponse.json({ error: "Missing email, password or role" }, { status: 400 }); } if (user.role === "admin") { if (role === "superadmin") return forbidden(); if (establishmentId && establishmentId !== user.establishmentId) return forbidden(); } const finalEstablishmentId = user.role === "superadmin" ? establishmentId : user.establishmentId; const newUser = await prisma.user.create({ data: { email, password: await hashPassword(password), role, establishmentId: finalEstablishmentId, }, }); return NextResponse.json(newUser, { status: 201 }); } export async function DELETE(req: NextRequest) { const user = await requireAuth(); if (user instanceof NextResponse) return user; const denied = requireRole(user, "superadmin", "admin"); if (denied) return denied; const { searchParams } = new URL(req.url); const id = searchParams.get("id"); if (!id) return NextResponse.json({ error: "Missing id" }, { status: 400 }); const target = await prisma.user.findUnique({ where: { id } }); if (!target) return NextResponse.json({ error: "Not found" }, { status: 404 }); if (user.role === "admin") { if (target.role === "superadmin") return forbidden(); if (target.establishmentId !== user.establishmentId) return forbidden(); } await prisma.user.delete({ where: { id } }); return NextResponse.json({ ok: true }); }