From 05e69aacf3a3862b72f4953c09501c9ae5e3a23a Mon Sep 17 00:00:00 2001
From: Trivernis <trivernis@gmail.com>
Date: Wed, 8 Jan 2020 14:54:11 +0100
Subject: [PATCH] Event changes

- changed creation to group-admins only
---
 CHANGELOG.md             | 1 +
 src/graphql/resolvers.ts | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3db8cf7..c3183f0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - changed the running behaviour to run in cluster threads via node.js cluster api
 - gql field userVote requires a userId
 - default findUser param limit to 20
+- only group admins can create group events
 
 ### Fixed
 
diff --git a/src/graphql/resolvers.ts b/src/graphql/resolvers.ts
index 5b53d85..94222f8 100644
--- a/src/graphql/resolvers.ts
+++ b/src/graphql/resolvers.ts
@@ -441,8 +441,13 @@ export function resolver(req: any, res: any): any {
         async createEvent({name, dueDate, groupId}: { name: string, dueDate: string, groupId: number }) {
             if (req.session.userId) {
                 const date = new Date(Number(dueDate));
-                const group = await models.Group.findByPk(groupId);
-                return group.$create<models.Event>("rEvent", {name, dueDate: date});
+                const group = await models.Group.findByPk(groupId, {include: [{association: "rAdmins"}]});
+                if (group.rAdmins.find((x) => x.id === req.session.userId)) {
+                    return group.$create<models.Event>("rEvent", {name, dueDate: date});
+                } else {
+                    res.status(status.FORBIDDEN);
+                    return new GraphQLError("You are not a group admin!");
+                }
             } else {
                 res.status(status.UNAUTHORIZED);
                 return new NotLoggedInGqlError();