Skip to content

Commit

Permalink
feat(reservation): enhance access control for reservation management
Browse files Browse the repository at this point in the history
  • Loading branch information
@at-wr
at-wr committed Jan 19, 2025
1 parent d473408 commit 94a90ac
Showing 1 changed file with 41 additions and 13 deletions.
54 changes: 41 additions & 13 deletions server/api/reservation/manage.get.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,38 +56,66 @@ export default eventHandler(async (event) => {
})
})
}
else {
throw createError({
statusCode: 400,
message: '未知操作',
})
}
}
}
else {
// Get the user's student ID first
const user = await prisma.user.findUnique({
where: {
clerkUserId: auth.userId,
},
})

if (!user) {
throw createError({
statusCode: 404,
message: '用户不存在',
})
}

// Find all clubs where user is president or vice president
const userClubs = await prisma.club.findMany({
where: {
OR: [
{
presidentByTsimsStudentId: user.tsimsStudentId,
},
{
vicesByTsimsStudentId: {
has: user.tsimsStudentId,
},
},
],
},
})

const clubIds = userClubs.map(club => club.id)

const currentReservation = await prisma.reservationRecord.findUnique({
include: {
user: true,
club: true,
},
where: {
id: query.id,
},
})

if (!currentReservation) {
throw createError({
statusCode: 400,
message: '未找到记录',
})
}
else if (currentReservation.user.clerkUserId !== auth.userId) {

// Check if user has access to this club's reservations
if (!clubIds.includes(currentReservation.clubId)) {
throw createError({
statusCode: 400,
message: '这不是你的记录',
statusCode: 403,
message: '您没有权限管理此预约记录',
})
}
else if (query.action === 'DELETE') {
if (query.id === -1)
return

if (query.action === 'DELETE') {
return await prisma.reservationRecord.delete({
where: {
id: query.id,
Expand Down

0 comments on commit 94a90ac

Please sign in to comment.