diff --git a/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx b/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx index 72cb2412..5a387e1b 100644 --- a/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx +++ b/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx @@ -23,7 +23,6 @@ export default async function Review({ params }: ReviewProps) { }); if (!review) redirect("/404"); - if (review.userId !== session.user.id) redirect("/404"); const opportunityTitle = db.opportunity.findUnique({ where: { diff --git a/server/api/routers/review.ts b/server/api/routers/review.ts index 94f3634f..1941cf47 100644 --- a/server/api/routers/review.ts +++ b/server/api/routers/review.ts @@ -14,6 +14,30 @@ export const reviewRouter = createTRPCRouter({ ) .mutation(async ({ input, ctx }) => { const { id, content, status } = input; + + const review = await ctx.db.review.findUnique({ + where: { id }, + include: { application: true }, + }); + + if (!review) { + throw new Error("Review not found"); + } + + const opportunity = await ctx.db.opportunity.findUnique({ + where: { id: review.application.opportunityId }, + include: { admins: true }, + }); + + if ( + !opportunity?.admins.some( + (admin) => admin.id === ctx.session.user.id, + ) && + review.userId !== ctx.session.user.id + ) { + throw new Error("Unauthorized"); + } + await ctx.db.review.update({ data: { content, status }, where: { id }, @@ -22,6 +46,31 @@ export const reviewRouter = createTRPCRouter({ deleteById: protectedProcedure .input(z.object({ id: z.number() })) .mutation(async ({ input, ctx }) => { + const { id } = input; + + const review = await ctx.db.review.findUnique({ + where: { id }, + include: { application: true }, + }); + + if (!review) { + throw new Error("Review not found"); + } + + const opportunity = await ctx.db.opportunity.findUnique({ + where: { id: review.application.opportunityId }, + include: { admins: true }, + }); + + if ( + !opportunity?.admins.some( + (admin) => admin.id === ctx.session.user.id, + ) && + review.userId !== ctx.session.user.id + ) { + throw new Error("Unauthorized"); + } + return await ctx.db.review.delete({ where: { id: input.id,