allow admin editing

tum-ai · Aug 12, 2024 · a70edae · a70edae
1 parent 90f2364
commit a70edae
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 1 deletion.
diff --git a/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx b/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx
@@ -23,7 +23,6 @@ export default async function Review({ params }: ReviewProps) {
   });
 
   if (!review) redirect("/404");
-  if (review.userId !== session.user.id) redirect("/404");
 
   const opportunityTitle = db.opportunity.findUnique({
     where: {

diff --git a/server/api/routers/review.ts b/server/api/routers/review.ts
@@ -14,6 +14,30 @@ export const reviewRouter = createTRPCRouter({
     )
     .mutation(async ({ input, ctx }) => {
       const { id, content, status } = input;
+
+      const review = await ctx.db.review.findUnique({
+        where: { id },
+        include: { application: true },
+      });
+
+      if (!review) {
+        throw new Error("Review not found");
+      }
+
+      const opportunity = await ctx.db.opportunity.findUnique({
+        where: { id: review.application.opportunityId },
+        include: { admins: true },
+      });
+
+      if (
+        !opportunity?.admins.some(
+          (admin) => admin.id === ctx.session.user.id,
+        ) &&
+        review.userId !== ctx.session.user.id
+      ) {
+        throw new Error("Unauthorized");
+      }
+
       await ctx.db.review.update({
         data: { content, status },
         where: { id },
@@ -22,6 +46,31 @@ export const reviewRouter = createTRPCRouter({
   deleteById: protectedProcedure
     .input(z.object({ id: z.number() }))
     .mutation(async ({ input, ctx }) => {
+      const { id } = input;
+
+      const review = await ctx.db.review.findUnique({
+        where: { id },
+        include: { application: true },
+      });
+
+      if (!review) {
+        throw new Error("Review not found");
+      }
+
+      const opportunity = await ctx.db.opportunity.findUnique({
+        where: { id: review.application.opportunityId },
+        include: { admins: true },
+      });
+
+      if (
+        !opportunity?.admins.some(
+          (admin) => admin.id === ctx.session.user.id,
+        ) &&
+        review.userId !== ctx.session.user.id
+      ) {
+        throw new Error("Unauthorized");
+      }
+
       return await ctx.db.review.delete({
         where: {
           id: input.id,