Skip to content

Commit 94a90ac

Browse files
at-wrat-wr
committed
feat(reservation): enhance access control for reservation management
1 parent d473408 commit 94a90ac

File tree

1 file changed

+41
-13
lines changed

1 file changed

+41
-13
lines changed

server/api/reservation/manage.get.ts

Lines changed: 41 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -56,38 +56,66 @@ export default eventHandler(async (event) => {
5656
})
5757
})
5858
}
59-
else {
60-
throw createError({
61-
statusCode: 400,
62-
message: '未知操作',
63-
})
64-
}
6559
}
6660
}
6761
else {
62+
// Get the user's student ID first
63+
const user = await prisma.user.findUnique({
64+
where: {
65+
clerkUserId: auth.userId,
66+
},
67+
})
68+
69+
if (!user) {
70+
throw createError({
71+
statusCode: 404,
72+
message: '用户不存在',
73+
})
74+
}
75+
76+
// Find all clubs where user is president or vice president
77+
const userClubs = await prisma.club.findMany({
78+
where: {
79+
OR: [
80+
{
81+
presidentByTsimsStudentId: user.tsimsStudentId,
82+
},
83+
{
84+
vicesByTsimsStudentId: {
85+
has: user.tsimsStudentId,
86+
},
87+
},
88+
],
89+
},
90+
})
91+
92+
const clubIds = userClubs.map(club => club.id)
93+
6894
const currentReservation = await prisma.reservationRecord.findUnique({
6995
include: {
70-
user: true,
96+
club: true,
7197
},
7298
where: {
7399
id: query.id,
74100
},
75101
})
102+
76103
if (!currentReservation) {
77104
throw createError({
78105
statusCode: 400,
79106
message: '未找到记录',
80107
})
81108
}
82-
else if (currentReservation.user.clerkUserId !== auth.userId) {
109+
110+
// Check if user has access to this club's reservations
111+
if (!clubIds.includes(currentReservation.clubId)) {
83112
throw createError({
84-
statusCode: 400,
85-
message: '这不是你的记录',
113+
statusCode: 403,
114+
message: '您没有权限管理此预约记录',
86115
})
87116
}
88-
else if (query.action === 'DELETE') {
89-
if (query.id === -1)
90-
return
117+
118+
if (query.action === 'DELETE') {
91119
return await prisma.reservationRecord.delete({
92120
where: {
93121
id: query.id,

0 commit comments

Comments
 (0)