fix: Allow project team members to update projects, handle empty companyId

- Relax project PATCH route from requireAdmin to checkProjectAccess - Normalize empty string companyId to null in updateProject service to prevent UUID parse error Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-26 11:41:36 +01:00
parent dd15be93a9
commit 929d0b461f
2 changed files with 8 additions and 5 deletions
--- a/src/routes/project.routes.js
+++ b/src/routes/project.routes.js
@@ -44,10 +44,10 @@ router.post(
  projectController.createProject
 );

-// Update project (admin only)
+// Update project (team members and admins)
 router.patch(
  '/:projectId',
-  requireAdmin,
+  checkProjectAccess,
  validateParams(z.object({ projectId: z.string().uuid() })),
  validateBody(updateProjectSchema),
  projectController.updateProject