Files
NovaWoW/web-next/lib/admin.ts
T
Inna d5b00a86dc Panel admin propio: gestión de noticias
- lib/admin.ts: isAdmin(session) por allowlist ADMIN_EMAILS (normalizada) o gmlevel
  de AzerothCore (account_access, resiliente si no existe). ADMIN_EMAILS/ADMIN_GMLEVEL
  en .env.local.
- lib/admin-news.ts: listNews / createNews / deleteNews (home_noticia).
- Routes /api/admin/news (POST, guard isAdmin) y /api/admin/news/[id] (DELETE).
- Páginas /admin (dashboard) y /admin/news (protegidas: no-admin -> redirect).
  AdminNewsManager (cliente: crear + listar + borrar).

Verificado: /admin sin permiso redirige, APIs 403; el pipeline crear noticia -> se
renderiza en la home (SSR) funciona. Turnstile bloquea el login por curl (correcto).
Pendiente admin: precios de servicios, foros, sitios de voto, usuarios.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-12 23:55:34 +00:00

28 lines
983 B
TypeScript

import type { RowDataPacket } from 'mysql2'
import { db, DB } from './db'
import { normalizeEmail } from './bnet'
import type { SessionData } from './session'
/** ¿Es administrador? Por allowlist de email (ADMIN_EMAILS) o por gmlevel de AzerothCore. */
export async function isAdmin(session: SessionData): Promise<boolean> {
if (!session.bnetId) return false
const allow = (process.env.ADMIN_EMAILS || '')
.split(',')
.map((e) => normalizeEmail(e))
.filter(Boolean)
if (session.bnetEmail && allow.includes(normalizeEmail(session.bnetEmail))) return true
try {
const level = Number(process.env.ADMIN_GMLEVEL || 3)
const [rows] = await db(DB.auth).query<RowDataPacket[]>(
'SELECT gmlevel FROM account_access WHERE id = ? ORDER BY gmlevel DESC LIMIT 1',
[session.accountId ?? 0],
)
if (rows[0] && Number(rows[0].gmlevel) >= level) return true
} catch {
// account_access puede no existir (acore sin poblar)
}
return false
}