diff --git a/apps/Backend/src/routes/patients.ts b/apps/Backend/src/routes/patients.ts index 3cce1bd..94331fa 100755 --- a/apps/Backend/src/routes/patients.ts +++ b/apps/Backend/src/routes/patients.ts @@ -322,19 +322,19 @@ router.delete( const patientId = parseInt(patientIdParam); - // Check if patient exists and belongs to user + // Only admin users can delete patients + if (req.user!.username !== "admin") { + return res.status(403).json({ + message: "Forbidden: Only admin users can delete patients.", + }); + } + + // Check if patient exists const existingPatient = await storage.getPatient(patientId); if (!existingPatient) { return res.status(404).json({ message: "Patient not found" }); } - if (existingPatient.userId !== req.user!.id) { - return res.status(403).json({ - message: - "Forbidden: Patient belongs to a different user, you can't delete this.", - }); - } - // Delete patient await storage.deletePatient(patientId); res.status(204).send(); diff --git a/apps/Frontend/src/components/patients/patient-table.tsx b/apps/Frontend/src/components/patients/patient-table.tsx index 616f904..2972c45 100755 --- a/apps/Frontend/src/components/patients/patient-table.tsx +++ b/apps/Frontend/src/components/patients/patient-table.tsx @@ -89,6 +89,7 @@ export function PatientTable({ }: PatientTableProps) { const { toast } = useToast(); const { user } = useAuth(); + const isAdmin = user?.username === "admin"; const [currentPatient, setCurrentPatient] = useState( undefined @@ -1075,13 +1076,13 @@ export function PatientTable({
- {allowDelete && ( + {allowDelete && isAdmin && (