new feature

app/api/categories/[id]/route.ts

@@ -1,11 +1,10 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import { NextRequest, NextResponse } from 'next/server'
-import { createClient } from '@/lib/supabase/server'
+import { createClient, createAdminClient } from '@/lib/supabase/server'
 
 export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   try {
     const supabase = await createClient()
-    const db = supabase as any
     const { data: { user }, error: authError } = await supabase.auth.getUser()
     if (authError || !user) return NextResponse.json({ error: 'Non autorisé' }, { status: 401 })
 
@@ -13,14 +12,17 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
     const { name, description } = await request.json()
     if (!name?.trim()) return NextResponse.json({ error: 'Nom requis' }, { status: 400 })
 
-    const { data, error } = await db
+    const admin = createAdminClient() as any
+    const { data, error } = await admin
       .from('categories')
       .update({ name: name.trim(), description: description?.trim() || null })
       .eq('id', id)
+      .eq('created_by', user.id)
       .select()
       .single()
 
     if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+    if (!data) return NextResponse.json({ error: 'Catégorie introuvable ou accès refusé' }, { status: 404 })
     return NextResponse.json({ success: true, category: data })
   } catch {
     return NextResponse.json({ error: 'Erreur serveur' }, { status: 500 })
@@ -30,12 +32,17 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
 export async function DELETE(_request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   try {
     const supabase = await createClient()
-    const db = supabase as any
     const { data: { user }, error: authError } = await supabase.auth.getUser()
     if (authError || !user) return NextResponse.json({ error: 'Non autorisé' }, { status: 401 })
 
     const { id } = await params
-    const { error } = await db.from('categories').delete().eq('id', id)
+    const admin = createAdminClient() as any
+    const { error } = await admin
+      .from('categories')
+      .delete()
+      .eq('id', id)
+      .eq('created_by', user.id)
+
     if (error) return NextResponse.json({ error: error.message }, { status: 500 })
     return NextResponse.json({ success: true })
   } catch {

app/api/subchapters/[id]/route.ts

@@ -1,11 +1,10 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import { NextRequest, NextResponse } from 'next/server'
-import { createClient } from '@/lib/supabase/server'
+import { createClient, createAdminClient } from '@/lib/supabase/server'
 
 export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   try {
     const supabase = await createClient()
-    const db = supabase as any
     const { data: { user }, error: authError } = await supabase.auth.getUser()
     if (authError || !user) return NextResponse.json({ error: 'Non autorisé' }, { status: 401 })
 
@@ -13,14 +12,17 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
     const { name } = await request.json()
     if (!name?.trim()) return NextResponse.json({ error: 'Nom requis' }, { status: 400 })
 
-    const { data, error } = await db
+    const admin = createAdminClient() as any
+    const { data, error } = await admin
       .from('subchapters')
       .update({ name: name.trim() })
       .eq('id', id)
+      .eq('created_by', user.id)
       .select()
       .single()
 
     if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+    if (!data) return NextResponse.json({ error: 'Chapitre introuvable ou accès refusé' }, { status: 404 })
     return NextResponse.json({ success: true, subchapter: data })
   } catch {
     return NextResponse.json({ error: 'Erreur serveur' }, { status: 500 })
@@ -30,12 +32,17 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
 export async function DELETE(_request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   try {
     const supabase = await createClient()
-    const db = supabase as any
     const { data: { user }, error: authError } = await supabase.auth.getUser()
     if (authError || !user) return NextResponse.json({ error: 'Non autorisé' }, { status: 401 })
 
     const { id } = await params
-    const { error } = await db.from('subchapters').delete().eq('id', id)
+    const admin = createAdminClient() as any
+    const { error } = await admin
+      .from('subchapters')
+      .delete()
+      .eq('id', id)
+      .eq('created_by', user.id)
+
     if (error) return NextResponse.json({ error: error.message }, { status: 500 })
     return NextResponse.json({ success: true })
   } catch {

app/api/subchapters/create/route.ts

@@ -14,7 +14,7 @@ export async function POST(request: NextRequest) {
 
     const { data, error } = await db
       .from('subchapters')
-      .insert({ category_id, name: name.trim() })
+      .insert({ category_id, name: name.trim(), created_by: user.id })
       .select()
       .single()
 

app/dashboard/quizzes/page.tsx

@@ -22,10 +22,11 @@ export default async function QuizzesPage() {
       { count: totalQuizzes },
       { data: sessionIds },
     ] = await Promise.all([
-      // Catégories + chapitres : lecture publique, client normal OK
-      db
+      // Catégories + chapitres : filtre explicite created_by via admin client
+      admin
         .from('categories')
         .select('id, name, description, subchapters(id, name)')
+        .eq('created_by', user.id)
         .order('name'),
       // Quizzes : client admin pour bypasser la RLS (filtre author_id en JS)
       admin