From e43e9c40ad8acdfbfaa13005e8ce65676774816d Mon Sep 17 00:00:00 2001
From: Sven Carstensen <sven.carstensen@appcreation.de>
Date: Wed, 18 Mar 2026 09:33:05 +0100
Subject: [PATCH] fix: Only allow ADMIN to save bank account details

Change condition from 'isPrimaryUser || isAdmin' to just 'isAdmin'
for bank account fields to ensure only ADMIN users can have/save
bank account data, not regular CUSTOMER users.
---
 .../de/svencarstensen/muh/service/CatalogService.java     | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/backend/src/main/java/de/svencarstensen/muh/service/CatalogService.java b/backend/src/main/java/de/svencarstensen/muh/service/CatalogService.java
index 2008967..39093ad 100644
--- a/backend/src/main/java/de/svencarstensen/muh/service/CatalogService.java
+++ b/backend/src/main/java/de/svencarstensen/muh/service/CatalogService.java
@@ -471,10 +471,10 @@ public class CatalogService {
                 isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.city()) : existing.city(),
                 normalizeEmail(mutation.email()),
                 isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.phoneNumber()) : existing.phoneNumber(),
-                isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.accountHolder()) : existing.accountHolder(),
-                isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.bankName()) : existing.bankName(),
-                isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.iban()) : existing.iban(),
-                isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.bic()) : existing.bic(),
+                actor.role() == UserRole.ADMIN ? blankToNull(mutation.accountHolder()) : existing.accountHolder(),
+                actor.role() == UserRole.ADMIN ? blankToNull(mutation.bankName()) : existing.bankName(),
+                actor.role() == UserRole.ADMIN ? blankToNull(mutation.iban()) : existing.iban(),
+                actor.role() == UserRole.ADMIN ? blankToNull(mutation.bic()) : existing.bic(),
                 isBlank(mutation.password()) ? existing.passwordHash() : passwordEncoder.encode(mutation.password()),
                 mutation.active(),
                 actor.role() == UserRole.ADMIN