feat(bookings): restrict management to assigned PIC or super admin

Secure API endpoints with requireBookingManager authorization check Update confirmation page to prompt for login if unauthorized Add safe redirect handling to login and guest middleware
2026-05-09 13:28:50 +08:00
parent a56a6706b0
commit cb683d6b3d
11 changed files with 102 additions and 13 deletions
--- a/server/api/public/bookings/[token]/transaction-document.delete.ts
+++ b/server/api/public/bookings/[token]/transaction-document.delete.ts
@@ -1,5 +1,6 @@
 import type { UpdateBookingDetailsResponse } from '~~/shared/booking'

+import { requireBookingManager } from '../../../../utils/auth'
 import {
  clearBookingTransactionDocumentByConfirmationToken,
  getBookingByConfirmationToken
@@ -15,6 +16,8 @@ export default defineEventHandler(async (event): Promise<UpdateBookingDetailsRes
    httpError(404, 'Booking not found')
  }

+  await requireBookingManager(event, booking)
+
  if (booking.status !== 'pending') {
    httpError(409, 'Transaction document can only be changed before confirmation')
  }