fix: Only allow ADMIN to save bank account details

Change condition from 'isPrimaryUser || isAdmin' to just 'isAdmin' for bank account fields to ensure only ADMIN users can have/save bank account data, not regular CUSTOMER users.
2026-03-18 09:33:05 +01:00
parent 60e2f95637
commit e43e9c40ad
1 changed files with 4 additions and 4 deletions
--- a/backend/src/main/java/de/svencarstensen/muh/service/CatalogService.java
+++ b/backend/src/main/java/de/svencarstensen/muh/service/CatalogService.java
@@ -471,10 +471,10 @@ public class CatalogService {
                isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.city()) : existing.city(),
                normalizeEmail(mutation.email()),
                isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.phoneNumber()) : existing.phoneNumber(),
-                isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.accountHolder()) : existing.accountHolder(),
-                isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.bankName()) : existing.bankName(),
-                isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.iban()) : existing.iban(),
-                isPrimaryUser(existing) || actor.role() == UserRole.ADMIN ? blankToNull(mutation.bic()) : existing.bic(),
+                actor.role() == UserRole.ADMIN ? blankToNull(mutation.accountHolder()) : existing.accountHolder(),
+                actor.role() == UserRole.ADMIN ? blankToNull(mutation.bankName()) : existing.bankName(),
+                actor.role() == UserRole.ADMIN ? blankToNull(mutation.iban()) : existing.iban(),
+                actor.role() == UserRole.ADMIN ? blankToNull(mutation.bic()) : existing.bic(),
                isBlank(mutation.password()) ? existing.passwordHash() : passwordEncoder.encode(mutation.password()),
                mutation.active(),
                actor.role() == UserRole.ADMIN