From ba4eec951a76b4d998f6d81f864931bc64839960 Mon Sep 17 00:00:00 2001
From: Thomas Reitz <T.Reitz@xinion.de>
Date: Wed, 11 Mar 2026 10:34:46 +0100
Subject: [PATCH] =?UTF-8?q?fix(crm):=20fix=20Lexware=20import=20500=20?=
 =?UTF-8?q?=E2=80=94=20tenantId=20validation=20in=20TenantGuard=20and=20se?=
 =?UTF-8?q?rvice?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- TenantGuard: remove PLATFORM_ADMIN bypass, require tenantId for all users
- lexware-contacts.service: add defensive tenantId check in importAsCompany
  and importAsContact with clear BadRequestException message

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../crm-service/src/auth/guards/tenant.guard.ts     | 12 +++++-------
 .../src/lexware/lexware-contacts.service.ts         | 13 +++++++++++++
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/packages/crm-service/src/auth/guards/tenant.guard.ts b/packages/crm-service/src/auth/guards/tenant.guard.ts
index 3629e84..7a5de51 100644
--- a/packages/crm-service/src/auth/guards/tenant.guard.ts
+++ b/packages/crm-service/src/auth/guards/tenant.guard.ts
@@ -12,14 +12,12 @@ export class TenantGuard implements CanActivate {
     const request = context.switchToHttp().getRequest();
     const user = request.user as JwtPayload;
 
-    // PLATFORM_ADMIN hat Zugriff auf alle Tenants
-    if (user?.role === 'PLATFORM_ADMIN') {
-      return true;
-    }
-
-    // Alle anderen User muessen eine tenantId haben
+    // Alle User (auch PLATFORM_ADMIN) muessen eine tenantId haben
+    // um auf tenant-spezifische CRM-Ressourcen zuzugreifen.
     if (!user?.tenantId) {
-      throw new ForbiddenException('Kein Mandant zugeordnet');
+      throw new ForbiddenException(
+        'Kein Mandant zugeordnet. Bitte mit einem mandanten-gebundenen Account anmelden.',
+      );
     }
 
     return true;
diff --git a/packages/crm-service/src/lexware/lexware-contacts.service.ts b/packages/crm-service/src/lexware/lexware-contacts.service.ts
index 1be6e5f..3414296 100644
--- a/packages/crm-service/src/lexware/lexware-contacts.service.ts
+++ b/packages/crm-service/src/lexware/lexware-contacts.service.ts
@@ -7,6 +7,7 @@ import {
   Logger,
   NotFoundException,
   ConflictException,
+  BadRequestException,
 } from '@nestjs/common';
 import { CrmPrismaService } from '../prisma/crm-prisma.service';
 import { LexwareClientService } from './lexware-client.service';
@@ -213,6 +214,12 @@ export class LexwareContactsService {
     lexwareContactId: string,
     userId: string,
   ) {
+    if (!tenantId) {
+      throw new BadRequestException(
+        'tenantId fehlt. Bitte mit einem mandanten-gebundenen Account anmelden.',
+      );
+    }
+
     // Pruefe ob bereits verknuepft
     const existing = await this.prisma.company.findFirst({
       where: { tenantId, lexwareContactId },
@@ -246,6 +253,12 @@ export class LexwareContactsService {
     lexwareContactId: string,
     userId: string,
   ) {
+    if (!tenantId) {
+      throw new BadRequestException(
+        'tenantId fehlt. Bitte mit einem mandanten-gebundenen Account anmelden.',
+      );
+    }
+
     const existing = await this.prisma.contact.findFirst({
       where: { tenantId, lexwareContactId },
     });