From a70edae10df30fb31c069b8e782ac5db429925f2 Mon Sep 17 00:00:00 2001
From: Cyro292 <amon@archi.de>
Date: Mon, 12 Aug 2024 21:51:00 +0200
Subject: [PATCH] allow admin editing

---
 .../review/[review_id]/page.tsx               |  1 -
 server/api/routers/review.ts                  | 49 +++++++++++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx b/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx
index 72cb2412..5a387e1b 100644
--- a/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx
+++ b/app/opportunities/[opportunity_id]/review/[review_id]/page.tsx
@@ -23,7 +23,6 @@ export default async function Review({ params }: ReviewProps) {
   });
 
   if (!review) redirect("/404");
-  if (review.userId !== session.user.id) redirect("/404");
 
   const opportunityTitle = db.opportunity.findUnique({
     where: {
diff --git a/server/api/routers/review.ts b/server/api/routers/review.ts
index 94f3634f..1941cf47 100644
--- a/server/api/routers/review.ts
+++ b/server/api/routers/review.ts
@@ -14,6 +14,30 @@ export const reviewRouter = createTRPCRouter({
     )
     .mutation(async ({ input, ctx }) => {
       const { id, content, status } = input;
+
+      const review = await ctx.db.review.findUnique({
+        where: { id },
+        include: { application: true },
+      });
+
+      if (!review) {
+        throw new Error("Review not found");
+      }
+
+      const opportunity = await ctx.db.opportunity.findUnique({
+        where: { id: review.application.opportunityId },
+        include: { admins: true },
+      });
+
+      if (
+        !opportunity?.admins.some(
+          (admin) => admin.id === ctx.session.user.id,
+        ) &&
+        review.userId !== ctx.session.user.id
+      ) {
+        throw new Error("Unauthorized");
+      }
+
       await ctx.db.review.update({
         data: { content, status },
         where: { id },
@@ -22,6 +46,31 @@ export const reviewRouter = createTRPCRouter({
   deleteById: protectedProcedure
     .input(z.object({ id: z.number() }))
     .mutation(async ({ input, ctx }) => {
+      const { id } = input;
+
+      const review = await ctx.db.review.findUnique({
+        where: { id },
+        include: { application: true },
+      });
+
+      if (!review) {
+        throw new Error("Review not found");
+      }
+
+      const opportunity = await ctx.db.opportunity.findUnique({
+        where: { id: review.application.opportunityId },
+        include: { admins: true },
+      });
+
+      if (
+        !opportunity?.admins.some(
+          (admin) => admin.id === ctx.session.user.id,
+        ) &&
+        review.userId !== ctx.session.user.id
+      ) {
+        throw new Error("Unauthorized");
+      }
+
       return await ctx.db.review.delete({
         where: {
           id: input.id,