From f691384a34cc146d4d7e329ab8056717f9b81fe6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=B6rdle=20Bot?= <bot@hoerdle.local>
Date: Wed, 3 Dec 2025 13:17:31 +0100
Subject: [PATCH] =?UTF-8?q?API:=20Auth=20&=20Scope=20f=C3=BCr=20Song-GET,?=
 =?UTF-8?q?=20Kommentar=20f=C3=BCr=20Kurator-Wrapper?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/[locale]/curator/page.tsx |  1 +
 app/api/songs/route.ts        | 29 +++++++++++++++++++++++++++--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/app/[locale]/curator/page.tsx b/app/[locale]/curator/page.tsx
index 90dc4b1..6e18aea 100644
--- a/app/[locale]/curator/page.tsx
+++ b/app/[locale]/curator/page.tsx
@@ -4,6 +4,7 @@ import CuratorPageInner from '../../curator/page';
 
 export default function CuratorPage() {
     // Wrapper für die lokalisierte Route /[locale]/curator
+    // Hinweis: Pfad '../../curator/page' zeigt von 'app/[locale]/curator' korrekt auf 'app/curator/page'.
     return <CuratorPageInner />;
 }
 
diff --git a/app/api/songs/route.ts b/app/api/songs/route.ts
index 175a453..d68f5da 100644
--- a/app/api/songs/route.ts
+++ b/app/api/songs/route.ts
@@ -61,7 +61,11 @@ function curatorCanDeleteSong(context: StaffContext, song: any, assignments: { g
 export const runtime = 'nodejs';
 export const maxDuration = 60; // 60 seconds timeout for uploads
 
-export async function GET() {
+export async function GET(request: NextRequest) {
+    // Alle Zugriffe auf die Songliste erfordern Staff-Auth (Admin oder Kurator)
+    const { error, context } = await requireStaffAuth(request);
+    if (error || !context) return error!;
+
     const songs = await prisma.song.findMany({
         orderBy: { createdAt: 'desc' },
         include: {
@@ -75,8 +79,29 @@ export async function GET() {
         },
     });
 
+    let visibleSongs = songs;
+
+    if (context.role === 'curator') {
+        const assignments = await getCuratorAssignments(context.curator.id);
+
+        visibleSongs = songs.filter(song => {
+            const songGenreIds = song.genres.map(g => g.id);
+            const songSpecialIds = song.specials.map(ss => ss.specialId);
+
+            // Songs ohne Genres/Specials sind immer sichtbar
+            if (songGenreIds.length === 0 && songSpecialIds.length === 0) {
+                return true;
+            }
+
+            const hasGenre = songGenreIds.some(id => assignments.genreIds.has(id));
+            const hasSpecial = songSpecialIds.some(id => assignments.specialIds.has(id));
+
+            return hasGenre || hasSpecial;
+        });
+    }
+
     // Map to include activation count and flatten specials
-    const songsWithActivations = songs.map(song => ({
+    const songsWithActivations = visibleSongs.map(song => ({
         id: song.id,
         title: song.title,
         artist: song.artist,