k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-22 23:01:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

adding permission check for creation and delete of links

Browse Source
This commit is contained in:
Marek Maslowski
2026-04-24 18:50:22 +02:00
parent 3a3267d998
commit ff3a7ddbf0
5 changed files with 81 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/routes/trips.ts
+8 -1
View File
@@ -382,9 +382,13 @@ router.get('/:id/subscribe.ics', authenticate, (req: Request, res: Response) =>
router.post('/:id/subscribe.ics', authenticate, (req: Request, res: Response) => {
const authReq = req as AuthRequest;
if (!canAccessTrip(req.params.id, authReq.user.id)) {
const access = canAccessTrip(req.params.id, authReq.user.id);
if (!access) {
return res.status(404).json({ error: 'Trip not found' });
}
if (!checkPermission('share_manage', authReq.user.role, access.user_id, authReq.user.id, access.user_id !== authReq.user.id)) {
return res.status(403).json({ error: 'No permission' });
}
const result = createOrUpdateCalendarShareLink(req.params.id, authReq.user.id);
const host = req.get('host');
@@ -404,6 +408,9 @@ router.delete('/:id/subscribe.ics', authenticate, (req: Request, res: Response)
const authReq = req as AuthRequest;
const access = canAccessTrip(req.params.id, authReq.user.id);
if (!access) return res.status(404).json({ error: 'Trip not found' });
if (!checkPermission('share_manage', authReq.user.role, access.user_id, authReq.user.id, access.user_id !== authReq.user.id)) {
return res.status(403).json({ error: 'No permission' });
}
deleteCalendarShareLink(req.params.id);
res.json({ success: true });