consultoria-as/HoruxDespachosNuevo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: vendedor accede a invitaciones trial (no invitar cliente)

Browse Source
This commit is contained in:
Horux Dev
2026-06-22 23:06:39 +00:00
parent cc002adbd2
commit a1727321c3
4 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
apps/api/src/controllers/client-invitations.controller.ts
View File

@@ -9,10 +9,10 @@ export async function createInvitation(req: Request, res: Response, next: NextFu
return res.status(400).json({ message: 'El email es requerido' });
}
// Admin y Vendedor (platform_sales) pueden crear invitaciones
const isAdmin = await hasAnyPlatformRole(req.user!.userId, 'platform_admin', 'platform_sales');
// Solo platform_admin puede crear invitaciones de cliente
const isAdmin = await hasAnyPlatformRole(req.user!.userId, 'platform_admin');
if (!isAdmin) {
return res.status(403).json({ message: 'Solo administradores o vendedores pueden crear invitaciones' });
return res.status(403).json({ message: 'Solo administradores pueden crear invitaciones' });
}
const invitation = await clientInvitationService.createInvitation({
@@ -70,7 +70,7 @@ export async function registerFromInvitation(req: Request, res: Response, next:
export async function resendInvitation(req: Request, res: Response, next: NextFunction) {
try {
const isAdmin = await hasAnyPlatformRole(req.user!.userId, 'platform_admin', 'platform_sales');
const isAdmin = await hasAnyPlatformRole(req.user!.userId, 'platform_admin');
if (!isAdmin) {
return res.status(403).json({ message: 'No autorizado' });
}
@@ -88,7 +88,7 @@ export async function resendInvitation(req: Request, res: Response, next: NextFu
export async function listInvitations(req: Request, res: Response, next: NextFunction) {
try {
const isAdmin = await hasAnyPlatformRole(req.user!.userId, 'platform_admin', 'platform_sales');
const isAdmin = await hasAnyPlatformRole(req.user!.userId, 'platform_admin');
if (!isAdmin) {
return res.status(403).json({ message: 'No autorizado' });
}

7
apps/api/src/controllers/tenants.controller.ts
View File

@@ -3,6 +3,7 @@ import { z } from 'zod';
import * as tenantsService from '../services/tenants.service.js';
import { AppError } from '../middlewares/error.middleware.js';
import { isGlobalAdmin } from '../utils/global-admin.js';
import { hasAnyPlatformRole } from '../utils/platform-admin.js';
import { isOwnerSomewhere } from '../utils/memberships.js';
async function requireGlobalAdmin(req: Request): Promise<void> {
@@ -13,8 +14,10 @@ async function requireGlobalAdmin(req: Request): Promise<void> {
export async function getAllTenants(req: Request, res: Response, next: NextFunction) {
try {
const isAdmin = await isGlobalAdmin(req.user!.tenantId, req.user!.role, req.user!.userId);
if (!isAdmin) {
// Admin global, TI y Vendedor pueden ver el listado completo de tenants.
// Vendedor lo necesita para enviar invitaciones de trial.
const canList = await hasAnyPlatformRole(req.user!.userId, 'platform_admin', 'platform_ti', 'platform_sales');
if (!canList) {
// Evita 403 en consola del frontend cuando componentes sin-gate hacen polling
res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
return res.json([]);