From 90f2364e912ba7efa13dfacd0e02350a2a3e90d9 Mon Sep 17 00:00:00 2001
From: Cyro292 <amon@archi.de>
Date: Sat, 27 Jul 2024 17:01:56 +0200
Subject: [PATCH] admin can see but not edit all reviews

---
 .../review/[review_id]/page.tsx               |  6 ++-
 .../[opportunity_id]/review/page.tsx          | 45 ++++++++++++++-----
 2 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx b/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx
index d51b4286..72cb2412 100644
--- a/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx
+++ b/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx
@@ -19,16 +19,18 @@ export default async function Review({ params }: ReviewProps) {
     where: {
       id: Number(params.review_id),
     },
-    include: { application: true, questionnaire: true },
+    include: { application: true, questionnaire: true, user: true },
   });
 
+  if (!review) redirect("/404");
+  if (review.userId !== session.user.id) redirect("/404");
+
   const opportunityTitle = db.opportunity.findUnique({
     where: {
       id: review?.application.opportunityId,
     },
   }).then((opportunity) => opportunity?.title);
 
-  if (!review) redirect("/404");
 
   const questions = review.questionnaire.questions as Question[];
 
diff --git a/app/opportunities/[opportunity_id]/review/page.tsx b/app/opportunities/[opportunity_id]/review/page.tsx
index 46c7a40e..82418145 100644
--- a/app/opportunities/[opportunity_id]/review/page.tsx
+++ b/app/opportunities/[opportunity_id]/review/page.tsx
@@ -22,23 +22,44 @@ export default async function ReviewPage({ params }: ReviewPageProps) {
     include: { admins: true },
   });
 
-  const reviews = await db.review.findMany({
-    where: {
-      application: { opportunityId: Number(params.opportunity_id) },
-      userId: session.user.id,
-    },
-    include: {
-      application: true,
-      user: { select: { name: true } },
-      questionnaire: { include: { phase: true } },
-    },
-  });
+  if (!opportunity) redirect("/404");
+
+  let reviews;
+
+  if (opportunity.admins.some((admin) => admin.id === session.user.id)) {
+
+    reviews = await db.review.findMany({
+      where: {
+        application: { opportunityId: Number(params.opportunity_id) },
+      },
+      include: {
+        application: true,
+        user: { select: { name: true } },
+        questionnaire: { include: { phase: true } },
+      },
+    });
+  } else {
+    reviews = await db.review.findMany({
+      where: {
+        application: { opportunityId: Number(params.opportunity_id) },
+        userId: session.user.id,
+      },
+      include: {
+        application: true,
+        user: { select: { name: true } },
+        questionnaire: { include: { phase: true } },
+      },
+    });
+  }
 
   return (
     <div className="space-y-8 p-8">
       <div className="flex justify-between">
         <div>
-          <Breadcrumbs title={"Reviews"} opportunityTitle={opportunity?.title} />
+          <Breadcrumbs
+            title={"Reviews"}
+            opportunityTitle={opportunity?.title}
+          />
           <h1 className="scroll-m-20 text-4xl font-extrabold tracking-tight lg:text-5xl">
             Reviews
           </h1>