fixed permissions

application/WorkorderDashboard/WorkorderDashboardController.php

@@ -36,7 +36,11 @@ class WorkorderDashboardController extends TTCrud
 
     protected function getFilterOptionsAction()
     {
-        $tenants = WorkorderTenantConfigModel::getAll([], null, 0, ['key' => 'name', 'order' => 'ASC']);
+        if ($this->me->isAdmin()) {
+            $tenants = WorkorderTenantConfigModel::getAll([], null, 0, ['key' => 'name', 'order' => 'ASC']);
+        } else {
+            $tenants = WorkorderTenantConfigModel::getAll(['addressId' => $this->me->address_id], null, 0, ['key' => 'name', 'order' => 'ASC']);
+        }
         $companies = WorkorderCompanyModel::getAll([], null, 0, ['key' => 'name', 'order' => 'ASC']);
 
         self::returnJson([
@@ -54,6 +58,10 @@ class WorkorderDashboardController extends TTCrud
             self::returnJson([]);
             return;
         }
+        if (!$this->me->isAdmin() && $config->addressId != $this->me->address_id) {
+            self::returnJson([]);
+            return;
+        }
 
         $networks = NetworkModel::search(['owner_id' => $config->addressId]);
         if (empty($networks)) {
@@ -79,6 +87,7 @@ class WorkorderDashboardController extends TTCrud
         if (!$tenantId) self::sendError('Mandant muss ausgewählt werden.');
         $config = WorkorderTenantConfigModel::get($tenantId);
         if (!$config) self::sendError('Mandant nicht gefunden.');
+        if (!$this->me->isAdmin() && $config->addressId != $this->me->address_id) self::sendError('Keine Berechtigung für diesen Mandanten.');
 
         $networks = NetworkModel::search(['owner_id' => $config->addressId]);
         $tenantCampaignIds = array_map(fn($c) => $c->id, PreordercampaignModel::search(['network_id' => array_map(fn($n) => $n->id, $networks)]));