server/src/lib/vendorScope.ts

import { AuthenticatedRequest } from "../types/index.js";

/**
 * Resolves the effective vendorId for a request.
 * Admin users may pass ?vendorId= to operate on any vendor's data.
 * All other roles are locked to their own vendorId.
 */
export function resolveVendorId(
  authReq: AuthenticatedRequest,
  query: Record<string, unknown> = {}
): string {
  if (authReq.auth.roleName === "admin" && typeof query.vendorId === "string" && query.vendorId) {
    return query.vendorId;
  }
  return authReq.auth.vendorId;
}
Add multi-vendor capability with admin vendor management - Add resolveVendorId() helper — admin can pass ?vendorId= to scope catalog operations to any vendor; other roles locked to JWT vendorId - Thread ?vendorId= through products, categories, taxes, events routes - Add DELETE /vendors/:id (admin only) with cascade-safe guard: blocks if vendor has users or transactions; otherwise cascade-deletes EventProduct → EventTax → Event → Product → Tax → Category → Vendor - Rewrite VendorPage: admin gets full CRUD list, vendor gets own settings - Add VendorFilter shared component (admin-only dropdown) - Integrate VendorFilter into Catalog, Users, and Events pages so admin can switch vendor context for all create/read operations Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-21 07:59:58 -05:00			`import { AuthenticatedRequest } from "../types/index.js";`

			`/**`
			`* Resolves the effective vendorId for a request.`
			`* Admin users may pass ?vendorId= to operate on any vendor's data.`
			`* All other roles are locked to their own vendorId.`
			`*/`
			`export function resolveVendorId(`
			`authReq: AuthenticatedRequest,`
			`query: Record<string, unknown> = {}`
			`): string {`
			`if (authReq.auth.roleName === "admin" && typeof query.vendorId === "string" && query.vendorId) {`
			`return query.vendorId;`
			`}`
			`return authReq.auth.vendorId;`
			`}`