fix: filter teams by app — getUserTeams and setActiveTenant now reject cross-app teams

src/lib/appwrite/tenant-actions.ts

@@ -2,7 +2,7 @@
 
 import { cookies } from "next/headers";
 import { redirect } from "next/navigation";
-import { AppwriteException, ID, Permission, Role } from "node-appwrite";
+import { AppwriteException, ID, Permission, Role, Query } from "node-appwrite";
 
 import { createAdminClient, createSessionClient } from "./server";
 import { DATABASE_ID, TABLES } from "./schema";
@@ -88,12 +88,22 @@ export async function createWorkspaceAction(
 
 export async function setActiveTenantAction(tenantId: string) {
   try {
-    const { account } = await createSessionClient();
+    const { account, teams, tablesDB } = await createSessionClient();
     const user = await account.get();
 
-    const teams = await (await createSessionClient()).teams.list();
-    const owns = teams.teams.some((t) => t.$id === tenantId);
-    if (!owns) {
+    const allTeams = await teams.list();
+    const isMember = allTeams.teams.some((t) => t.$id === tenantId);
+    if (!isMember) {
+      return { ok: false, error: "Bu çalışma alanına erişiminiz yok." };
+    }
+
+    // Verify this team belongs to this app (not a team from another KovakSoft product)
+    const settingsCheck = await tablesDB.listRows({
+      databaseId: DATABASE_ID,
+      tableId: TABLES.tenantSettings,
+      queries: [Query.equal("tenantId", tenantId), Query.limit(1)],
+    });
+    if (settingsCheck.total === 0) {
       return { ok: false, error: "Bu çalışma alanına erişiminiz yok." };
     }