backend/src/api/travel/policies/check-update.ts (view raw)
1import { errors } from "@strapi/utils";
2
3export default async (policyContext, _config, { strapi }) => {
4 const travelId = policyContext.args?.id;
5 const travel = await strapi.entityService.findOne(
6 "api::travel.travel",
7 travelId,
8 {
9 populate: ["event", "user"],
10 }
11 );
12
13 if (!travel) throw new errors.NotFoundError(`Travel not found`);
14
15 const event = travel.event;
16
17 const eventId = policyContext.args?.data?.event;
18 if (eventId !== event.id)
19 throw new errors.UnauthorizedError("Can't change travel linked event");
20
21 if (event.enabled_modules?.includes("caroster-plus")) {
22 const user = policyContext.state.user;
23 if (!user) throw new errors.ForbiddenError();
24
25 const admins = event.administrators?.split(/, ?/) || [];
26 const isAdmin = [...admins, event.email].includes(user.email);
27
28 if (isAdmin) return true;
29 else if (travel.user?.email === user.email) return true;
30 else return false;
31 }
32};