fix: edit event accessible to user with event roles only (#3500)

Author: shreyanshdwivedi

app/routes/events/view.js

@@ -10,7 +10,7 @@ export default Route.extend({
 
   model(params) {
     return this.store.findRecord('event', params.event_id, {
-      include: 'event-topic,event-sub-topic,event-type,event-copyright,tax,owner,stripe-authorization'
+      include: 'event-topic,event-sub-topic,event-type,event-copyright,tax,owner,organizers,coorganizers,track-organizers,registrars,moderators,stripe-authorization'
     });
   },
 

app/routes/events/view/edit.js

@@ -12,6 +12,14 @@ export default Route.extend(AuthenticatedRouteMixin, EventWizardMixin, {
     if (transition.targetName === 'events.view.edit.index') {
       this.transitionTo('events.view.edit.basic-details');
     }
+
+    let event = this.modelFor('events.view');
+    let { currentUser } = this.authManager;
+    if (!(currentUser.isAnAdmin || currentUser.email === event.owner.get('email') || event.organizers.includes(currentUser)
+        || event.coorganizers.includes(currentUser) || event.trackOrganizers.includes(currentUser)
+        || event.registrars.includes(currentUser) || event.moderators.includes(currentUser))) {
+      this.transitionTo('index');
+    }
   },
 
   async model() {

app/templates/components/modals/add-user-role-modal.hbs

@@ -20,9 +20,11 @@
         </div>
         <div class="menu">
           {{#each data.roles as |role|}}
-            <div class="item" data-value="{{map-value mapper role}}">
-              {{role.name}}
-            </div>
+            {{#if (not-eq role.name 'owner')}}
+              <div class="item" data-value="{{map-value mapper role}}">
+                {{role.name}}
+              </div>
+            {{/if}}
           {{/each}}
         </div>
       {{/ui-dropdown}}