fix: event settings visible to admin and owner only (#3432)

Author: shreyanshdwivedi

app/routes/events/view.js

@@ -10,7 +10,7 @@ export default Route.extend({
 
   model(params) {
     return this.store.findRecord('event', params.event_id, {
-      include: 'event-topic,event-sub-topic,event-type,event-copyright,tax,stripe-authorization'
+      include: 'event-topic,event-sub-topic,event-type,event-copyright,tax,owner,stripe-authorization'
     });
   },
 

app/routes/events/view/settings.js

@@ -4,6 +4,12 @@ export default Route.extend({
   titleToken() {
     return this.l10n.t('Settings');
   },
+  beforeModel() {
+    let { currentUser } = this.authManager;
+    if (!(currentUser.isAnAdmin || this.modelFor('events.view').owner.get('email') === currentUser.email)) {
+      this.transitionTo('events.view');
+    }
+  },
   async model() {
     let eventDetails = this.modelFor('events.view');
     return {

app/templates/events/view.hbs

@@ -81,9 +81,11 @@
         {{#link-to 'events.view.export' class='item'}}
           {{t 'Export'}}
         {{/link-to}}
-        {{#link-to 'events.view.settings' class='item'}}
-          {{t 'Settings'}}
-        {{/link-to}}
+        {{#if (or authManager.currentUser.isAnAdmin (eq model.owner.email authManager.currentUser.email))}}
+          {{#link-to 'events.view.settings' class='item'}}
+            {{t 'Settings'}}
+          {{/link-to}}
+        {{/if}}
       {{/tabbed-navigation}}
     </div>
   </div>