Kingsmai/dticket.tootaio.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(bookings): restrict management to assigned PIC or super admin

Browse Source 
Secure API endpoints with requireBookingManager authorization check
Update confirmation page to prompt for login if unauthorized
Add safe redirect handling to login and guest middleware
This commit is contained in:
xiaomai
2026-05-09 13:28:50 +08:00
parent a56a6706b0
commit cb683d6b3d
11 changed files with 102 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
server/api/public/bookings/[token]/transaction-document.get.ts
View File

@@ -1,6 +1,7 @@
import { sendStream, setHeader } from 'h3'
import { getBookingTransactionDocumentByConfirmationToken } from '../../../../utils/booking-repository'
import { requireBookingManager } from '../../../../utils/auth'
import { getBookingByConfirmationToken, getBookingTransactionDocumentByConfirmationToken } from '../../../../utils/booking-repository'
import { getRequiredRouteParam, httpError } from '../../../../utils/http'
import {
getSafeDownloadName,
@@ -9,6 +10,14 @@ import {
export default defineEventHandler(async (event) => {
const token = getRequiredRouteParam(event, 'token', 'Confirmation token')
const booking = await getBookingByConfirmationToken(token)
if (!booking) {
httpError(404, 'Booking not found')
}
await requireBookingManager(event, booking)
const document = await getBookingTransactionDocumentByConfirmationToken(token)
if (!document) {