API: Auth & Scope für Song-GET, Kommentar für Kurator-Wrapper

app/api/songs/route.ts

@@ -61,7 +61,11 @@ function curatorCanDeleteSong(context: StaffContext, song: any, assignments: { g
 export const runtime = 'nodejs';
 export const maxDuration = 60; // 60 seconds timeout for uploads
 
-export async function GET() {
+export async function GET(request: NextRequest) {
+    // Alle Zugriffe auf die Songliste erfordern Staff-Auth (Admin oder Kurator)
+    const { error, context } = await requireStaffAuth(request);
+    if (error || !context) return error!;
+
     const songs = await prisma.song.findMany({
         orderBy: { createdAt: 'desc' },
         include: {
@@ -75,8 +79,29 @@ export async function GET() {
         },
     });
 
+    let visibleSongs = songs;
+
+    if (context.role === 'curator') {
+        const assignments = await getCuratorAssignments(context.curator.id);
+
+        visibleSongs = songs.filter(song => {
+            const songGenreIds = song.genres.map(g => g.id);
+            const songSpecialIds = song.specials.map(ss => ss.specialId);
+
+            // Songs ohne Genres/Specials sind immer sichtbar
+            if (songGenreIds.length === 0 && songSpecialIds.length === 0) {
+                return true;
+            }
+
+            const hasGenre = songGenreIds.some(id => assignments.genreIds.has(id));
+            const hasSpecial = songSpecialIds.some(id => assignments.specialIds.has(id));
+
+            return hasGenre || hasSpecial;
+        });
+    }
+
     // Map to include activation count and flatten specials
-    const songsWithActivations = songs.map(song => ({
+    const songsWithActivations = visibleSongs.map(song => ({
         id: song.id,
         title: song.title,
         artist: song.artist,