67 lines
2.5 KiB
TypeScript
67 lines
2.5 KiB
TypeScript
/* eslint-disable @typescript-eslint/no-explicit-any */
|
|
import { NextRequest, NextResponse } from 'next/server'
|
|
import { createClient } from '@/lib/supabase/server'
|
|
import { createAdminClient } from '@/lib/supabase/server'
|
|
|
|
async function assertAdmin() {
|
|
const supabase = await createClient()
|
|
const db = supabase as any
|
|
const { data: { user }, error } = await supabase.auth.getUser()
|
|
if (error || !user) return null
|
|
const { data: profile } = await db.from('profiles').select('role').eq('id', user.id).single()
|
|
if (profile?.role !== 'admin') return null
|
|
return user
|
|
}
|
|
|
|
export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
|
|
try {
|
|
const caller = await assertAdmin()
|
|
if (!caller) return NextResponse.json({ error: 'Accès refusé' }, { status: 403 })
|
|
|
|
const { id } = await params
|
|
const { role } = await request.json()
|
|
|
|
if (!['admin', 'formateur'].includes(role)) {
|
|
return NextResponse.json({ error: 'Rôle invalide' }, { status: 400 })
|
|
}
|
|
|
|
// Ne pas modifier son propre rôle
|
|
if (id === caller.id) {
|
|
return NextResponse.json({ error: 'Vous ne pouvez pas modifier votre propre rôle' }, { status: 400 })
|
|
}
|
|
|
|
const admin = createAdminClient()
|
|
const { error: updateError } = await (admin as any)
|
|
.from('profiles')
|
|
.update({ role })
|
|
.eq('id', id)
|
|
|
|
if (updateError) return NextResponse.json({ error: updateError.message }, { status: 500 })
|
|
return NextResponse.json({ success: true })
|
|
} catch {
|
|
return NextResponse.json({ error: 'Erreur serveur' }, { status: 500 })
|
|
}
|
|
}
|
|
|
|
export async function DELETE(_request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
|
|
try {
|
|
const caller = await assertAdmin()
|
|
if (!caller) return NextResponse.json({ error: 'Accès refusé' }, { status: 403 })
|
|
|
|
const { id } = await params
|
|
|
|
if (id === caller.id) {
|
|
return NextResponse.json({ error: 'Vous ne pouvez pas supprimer votre propre compte' }, { status: 400 })
|
|
}
|
|
|
|
// auth.admin.deleteUser est défaillant sur ce projet — on passe par une fonction SQL SECURITY DEFINER
|
|
const admin = createAdminClient() as any
|
|
const { error: deleteError } = await admin.rpc('admin_delete_user', { user_id: id })
|
|
if (deleteError) return NextResponse.json({ error: deleteError.message }, { status: 500 })
|
|
return NextResponse.json({ success: true })
|
|
} catch (err) {
|
|
console.error('[admin/users/delete]', err)
|
|
return NextResponse.json({ error: 'Erreur serveur' }, { status: 500 })
|
|
}
|
|
}
|