feat(bookings): restrict management to assigned PIC or super admin

Secure API endpoints with requireBookingManager authorization check Update confirmation page to prompt for login if unauthorized Add safe redirect handling to login and guest middleware
2026-05-09 13:28:50 +08:00
parent a56a6706b0
commit cb683d6b3d
11 changed files with 102 additions and 13 deletions
--- a/server/utils/auth.ts
+++ b/server/utils/auth.ts
@@ -1,4 +1,5 @@
 import type { H3Event } from 'h3'
+import type { PublicBooking } from '~~/shared/booking'

 import { normalizeUsername, type UserRole } from '~~/shared/auth'

@@ -54,6 +55,19 @@ export async function requireRole(event: H3Event, role: UserRole) {
  return auth
 }

+export async function requireBookingManager(event: H3Event, booking: Pick<PublicBooking, 'personInChargeId'>) {
+  const auth = await requireAuth(event)
+
+  if (auth.user.role !== 'super_admin' && auth.user.id !== booking.personInChargeId) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'You are not allowed to manage this booking'
+    })
+  }
+
+  return auth
+}
+
 export async function signInUser(event: H3Event, user: UserAuthRecord, remember: boolean) {
  await createUserSession(event, {
    userId: user.id,