From 97f66b9748ce96d3a5b800e2284c678591a62acb Mon Sep 17 00:00:00 2001
From: lashman <lashman@robotbrush.com>
Date: Sat, 21 Mar 2026 22:14:11 +0200
Subject: [PATCH] fix admin avatar upload using linked user instead of
 anonymous cookie

---
 packages/api/src/routes/avatars.ts | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/packages/api/src/routes/avatars.ts b/packages/api/src/routes/avatars.ts
index 7cb6ff0..bc3c084 100644
--- a/packages/api/src/routes/avatars.ts
+++ b/packages/api/src/routes/avatars.ts
@@ -27,9 +27,16 @@ export default async function avatarRoutes(app: FastifyInstance) {
 
   app.post(
     "/me/avatar",
-    { preHandler: [app.requireUser], config: { rateLimit: { max: 10, timeWindow: "1 hour" } } },
+    { preHandler: [app.requireUser, app.optionalAdmin], config: { rateLimit: { max: 10, timeWindow: "1 hour" } } },
     async (req, reply) => {
-      const user = await prisma.user.findUnique({ where: { id: req.user!.id } });
+      // if admin, use their linked user instead of the anonymous cookie user
+      let userId = req.user!.id;
+      if (req.adminId) {
+        const admin = await prisma.adminUser.findUnique({ where: { id: req.adminId }, select: { linkedUserId: true } });
+        if (admin?.linkedUserId) userId = admin.linkedUserId;
+      }
+
+      const user = await prisma.user.findUnique({ where: { id: userId } });
       if (!user) {
         reply.status(403).send({ error: "Not authenticated" });
         return;