YXx

public/assets/js/account.js

@@ -2,8 +2,6 @@ import { apiAction } from './api.js';
 import { initUserPanel, initAccountPage } from './ui-user.js';
 import { mountLogoutButton, ensureFloatingLogout } from './ui-auth.js';
 
-const pageType = document.body?.dataset?.page || 'account';
-
 async function ensureAuthenticated() {
   try {
     const me = await apiAction('auth.me', { method: 'GET' });
@@ -19,19 +17,9 @@ async function ensureAuthenticated() {
   }
 }
 
-function ensureAccess() {
-  const role = (window.__currentUser?.role || '').toLowerCase();
-  if (pageType === 'admin' && role !== 'owner' && role !== 'admin') {
-    window.location.href = '/account.php';
-    return false;
-  }
-  return true;
-}
-
 document.addEventListener('DOMContentLoaded', async () => {
   const ok = await ensureAuthenticated();
   if (!ok) return;
-  if (!ensureAccess()) return;
   initUserPanel();
   initAccountPage();
   mountLogoutButton('#btn-logout', { redirect: '/login.php' });

public/assets/js/ui-user.js

@@ -12,6 +12,8 @@ const state = {
   loading: false,
 };
 
+const pageType = document.body?.dataset?.page || 'account';
+
 let avatarBtn;
 let userMenuPanel;
 let profileForm;
@@ -103,6 +105,13 @@ function isAdmin() {
   return role === 'owner' || role === 'admin';
 }
 
+function enforcePageAccess() {
+  if (pageType !== 'admin') return;
+  if (isAdmin()) return;
+  toast('Kein Zugriff auf diesen Bereich', false, { duration: 2500 });
+  window.location.href = '/account.php';
+}
+
 function updateAvatar() {
   const target = document.getElementById('userAvatar');
   if (!target) return;
@@ -184,6 +193,7 @@ async function loadAccountData() {
       window.__currentUser = res.user;
       updateAvatar();
       updateRoleVisibility();
+      enforcePageAccess();
     }
     fillProfileForm(res.user);
     fillSettingsForm(res.settings || {});