feat: restrict patient deletion to admin users only
This commit is contained in:
ff
@@ -322,19 +322,19 @@ router.delete(
|
||||
|
||||
const patientId = parseInt(patientIdParam);
|
||||
|
||||
// Check if patient exists and belongs to user
|
||||
// Only admin users can delete patients
|
||||
if (req.user!.username !== "admin") {
|
||||
return res.status(403).json({
|
||||
message: "Forbidden: Only admin users can delete patients.",
|
||||
});
|
||||
}
|
||||
|
||||
// Check if patient exists
|
||||
const existingPatient = await storage.getPatient(patientId);
|
||||
if (!existingPatient) {
|
||||
return res.status(404).json({ message: "Patient not found" });
|
||||
}
|
||||
|
||||
if (existingPatient.userId !== req.user!.id) {
|
||||
return res.status(403).json({
|
||||
message:
|
||||
"Forbidden: Patient belongs to a different user, you can't delete this.",
|
||||
});
|
||||
}
|
||||
|
||||
// Delete patient
|
||||
await storage.deletePatient(patientId);
|
||||
res.status(204).send();
|
||||
|
||||
@@ -89,6 +89,7 @@ export function PatientTable({
|
||||
}: PatientTableProps) {
|
||||
const { toast } = useToast();
|
||||
const { user } = useAuth();
|
||||
const isAdmin = user?.username === "admin";
|
||||
|
||||
const [currentPatient, setCurrentPatient] = useState<Patient | undefined>(
|
||||
undefined
|
||||
@@ -1075,13 +1076,13 @@ export function PatientTable({
|
||||
|
||||
<TableCell className="text-right">
|
||||
<div className="flex justify-end">
|
||||
{allowDelete && (
|
||||
{allowDelete && isAdmin && (
|
||||
<Button
|
||||
onClick={() => {
|
||||
handleDeletePatient(patient);
|
||||
}}
|
||||
className="text-red-600 hover:text-red-900"
|
||||
aria-label="Delete Staff"
|
||||
aria-label="Delete Patient"
|
||||
variant="ghost"
|
||||
size="icon"
|
||||
title="Delete Patient"
|
||||
|
||||
Reference in New Issue
Block a user