From 21db754045b3be59c7dfcb5f448994d6ccce8c5b Mon Sep 17 00:00:00 2001 From: MEHMETKECECI Date: Mon, 16 Feb 2026 09:35:11 +0300 Subject: [PATCH] Merge remote-tracking branch 'origin/master' --- svc/queries/account.go | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/svc/queries/account.go b/svc/queries/account.go index a0ac4d8..1c7b94e 100644 --- a/svc/queries/account.go +++ b/svc/queries/account.go @@ -13,12 +13,25 @@ import ( func GetAccounts(ctx context.Context) ([]models.Account, error) { - piyasaFilter := authz.BuildMSSQLPiyasaFilter(ctx, "f2.CustomerAtt01") + piyasaCodes := authz.GetPiyasaCodesFromCtx(ctx) - if strings.TrimSpace(piyasaFilter) == "" { - piyasaFilter = "1=1" + // 🔴 HİÇ YETKİ YOKSA → HİÇ DATA VERME + if len(piyasaCodes) == 0 { + log.Println("⚠️ No piyasa permission → empty account list") + return []models.Account{}, nil } + // ✅ Güvenli filter üret + quoted := make([]string, 0, len(piyasaCodes)) + for _, p := range piyasaCodes { + quoted = append(quoted, "'"+p+"'") + } + + piyasaFilter := fmt.Sprintf( + "f2.CustomerAtt01 IN (%s)", + strings.Join(quoted, ","), + ) + query := fmt.Sprintf(` SELECT x.AccountCode, @@ -38,8 +51,7 @@ func GetAccounts(ctx context.Context) ([]models.Account, error) { ORDER BY x.AccountCode `, piyasaFilter) - log.Println("🔎 ACCOUNT PIYASA FILTER =", piyasaFilter) - log.Println("🔎 ACCOUNT QUERY =", query) + log.Println("🔎 ACCOUNT FILTER =", piyasaFilter) rows, err := db.MssqlDB.Query(query) if err != nil {