From 05e69aacf3a3862b72f4953c09501c9ae5e3a23a Mon Sep 17 00:00:00 2001 From: Trivernis Date: Wed, 8 Jan 2020 14:54:11 +0100 Subject: [PATCH] Event changes - changed creation to group-admins only --- CHANGELOG.md | 1 + src/graphql/resolvers.ts | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3db8cf7..c3183f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - changed the running behaviour to run in cluster threads via node.js cluster api - gql field userVote requires a userId - default findUser param limit to 20 +- only group admins can create group events ### Fixed diff --git a/src/graphql/resolvers.ts b/src/graphql/resolvers.ts index 5b53d85..94222f8 100644 --- a/src/graphql/resolvers.ts +++ b/src/graphql/resolvers.ts @@ -441,8 +441,13 @@ export function resolver(req: any, res: any): any { async createEvent({name, dueDate, groupId}: { name: string, dueDate: string, groupId: number }) { if (req.session.userId) { const date = new Date(Number(dueDate)); - const group = await models.Group.findByPk(groupId); - return group.$create("rEvent", {name, dueDate: date}); + const group = await models.Group.findByPk(groupId, {include: [{association: "rAdmins"}]}); + if (group.rAdmins.find((x) => x.id === req.session.userId)) { + return group.$create("rEvent", {name, dueDate: date}); + } else { + res.status(status.FORBIDDEN); + return new GraphQLError("You are not a group admin!"); + } } else { res.status(status.UNAUTHORIZED); return new NotLoggedInGqlError();