From e4561dbd7f391c656eae8b3d323096ca6543dc73 Mon Sep 17 00:00:00 2001
From: Luca Haid <luca.haid@xinon.eu>
Date: Wed, 28 Jan 2026 10:24:14 +0100
Subject: [PATCH] fixed permissions

---
 .../WorkorderDashboardController.php                  | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/application/WorkorderDashboard/WorkorderDashboardController.php b/application/WorkorderDashboard/WorkorderDashboardController.php
index ccb654cf2..ed0b0bef1 100644
--- a/application/WorkorderDashboard/WorkorderDashboardController.php
+++ b/application/WorkorderDashboard/WorkorderDashboardController.php
@@ -36,7 +36,11 @@ class WorkorderDashboardController extends TTCrud
 
     protected function getFilterOptionsAction()
     {
-        $tenants = WorkorderTenantConfigModel::getAll([], null, 0, ['key' => 'name', 'order' => 'ASC']);
+        if ($this->me->isAdmin()) {
+            $tenants = WorkorderTenantConfigModel::getAll([], null, 0, ['key' => 'name', 'order' => 'ASC']);
+        } else {
+            $tenants = WorkorderTenantConfigModel::getAll(['addressId' => $this->me->address_id], null, 0, ['key' => 'name', 'order' => 'ASC']);
+        }
         $companies = WorkorderCompanyModel::getAll([], null, 0, ['key' => 'name', 'order' => 'ASC']);
 
         self::returnJson([
@@ -54,6 +58,10 @@ class WorkorderDashboardController extends TTCrud
             self::returnJson([]);
             return;
         }
+        if (!$this->me->isAdmin() && $config->addressId != $this->me->address_id) {
+            self::returnJson([]);
+            return;
+        }
 
         $networks = NetworkModel::search(['owner_id' => $config->addressId]);
         if (empty($networks)) {
@@ -79,6 +87,7 @@ class WorkorderDashboardController extends TTCrud
         if (!$tenantId) self::sendError('Mandant muss ausgewählt werden.');
         $config = WorkorderTenantConfigModel::get($tenantId);
         if (!$config) self::sendError('Mandant nicht gefunden.');
+        if (!$this->me->isAdmin() && $config->addressId != $this->me->address_id) self::sendError('Keine Berechtigung für diesen Mandanten.');
 
         $networks = NetworkModel::search(['owner_id' => $config->addressId]);
         $tenantCampaignIds = array_map(fn($c) => $c->id, PreordercampaignModel::search(['network_id' => array_map(fn($n) => $n->id, $networks)]));