import { Sidebar } from '@/components/layout/Sidebar' import { Header } from '@/components/layout/Header' import { auth, getSanitizedHeaders } from '@/lib/auth' import { headers } from 'next/headers' import { redirect } from 'next/navigation' import { prisma } from '@innungsapp/shared' import { ForcePasswordChange } from './ForcePasswordChange' export default async function DashboardLayout({ children, params, }: { children: React.ReactNode params: Promise<{ slug: string }> }) { const sanitizedHeaders = await getSanitizedHeaders() const session = await auth.api.getSession({ headers: sanitizedHeaders }) if (!session?.user) { redirect('/login') } // Superadmin Redirect const superAdminEmail = process.env.SUPERADMIN_EMAIL || 'superadmin@innungsapp.de' if (session.user.email === superAdminEmail) { redirect('/superadmin') } const { slug } = await params const org = await prisma.organization.findUnique({ where: { slug } }) // Basic security: Check if the user is an admin of this organization const userRole = org ? await prisma.userRole.findUnique({ where: { orgId_userId: { orgId: org.id, userId: session.user.id } } }) : null // If not found for this slug, check if user is admin of ANY org and redirect there if (!userRole || userRole.role !== 'admin') { const anyAdminRole = await prisma.userRole.findFirst({ where: { userId: session.user.id, role: 'admin' }, include: { org: true }, orderBy: { createdAt: 'asc' }, }) console.error('[Dashboard] Zugriff verweigert Debug:', { sessionUserId: session.user.id, sessionUserEmail: session.user.email, slug, orgFound: !!org, orgId: org?.id, userRoleFound: !!userRole, userRoleRole: userRole?.role, anyAdminRoleFound: !!anyAdminRole, anyAdminRoleOrgSlug: anyAdminRole?.org?.slug, }) if (anyAdminRole?.org?.slug && anyAdminRole.org.slug !== slug) { redirect(`/${anyAdminRole.org.slug}/dashboard`) } } // ONLY admins are allowed in the administrative portal if (!userRole || userRole.role !== 'admin') { return (

Zugriff verweigert

Dieses Portal ist ausschließlich für Administratoren reserviert. Ihr Account verfügt nicht über die notwendigen Berechtigungen für diesen Bereich.

{ 'use server' const { auth } = await import('@/lib/auth') const { headers } = await import('next/headers') await auth.api.signOut({ headers: await headers() }) redirect('/login') }}>
) } // Force Password Change Check // @ts-ignore - mustChangePassword is added via additionalFields if (session.user.mustChangePassword) { return (
) } // Inject Primary Color Theme const primaryColor = org?.primaryColor || '#E63946' return (
{children}
) }