From 262228d6e99b475651fcbca7bd00f7aaffc47754 Mon Sep 17 00:00:00 2001
From: javayhu <javayhu@gmail.com>
Date: Sat, 16 Aug 2025 22:03:01 +0800
Subject: [PATCH] feat: add session validation for admin access in
 getUsersAction

---
 src/actions/get-users.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/actions/get-users.ts b/src/actions/get-users.ts
index 67d3005..45747f1 100644
--- a/src/actions/get-users.ts
+++ b/src/actions/get-users.ts
@@ -3,6 +3,7 @@
 import { getDb } from '@/db';
 import { user } from '@/db/schema';
 import { isDemoWebsite } from '@/lib/demo';
+import { getSession } from '@/lib/server';
 import { asc, desc, ilike, or, sql } from 'drizzle-orm';
 import { createSafeActionClient } from 'next-safe-action';
 import { z } from 'zod';
@@ -42,6 +43,14 @@ const sortFieldMap = {
 export const getUsersAction = actionClient
   .schema(getUsersSchema)
   .action(async ({ parsedInput }) => {
+    const session = await getSession();
+    if (!session || session.user.role !== 'admin') {
+      return {
+        success: false,
+        error: 'Unauthorized',
+      };
+    }
+
     try {
       const { pageIndex, pageSize, search, sorting } = parsedInput;