matthias/dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rights system

Browse Source
This commit is contained in:
Matthias Hochmeister
2026-03-23 10:50:52 +01:00
parent 2bb22850f4
commit 515f14956e
24 changed files with 629 additions and 363 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
backend/src/controllers/booking.controller.ts
View File

@@ -2,7 +2,7 @@ import { Request, Response } from 'express';
import { ZodError } from 'zod';
import bookingService from '../services/booking.service';
import vehicleService from '../services/vehicle.service';
import { hasPermission, resolveRequestRole } from '../middleware/rbac.middleware';
import { permissionService } from '../services/permission.service';
import {
CreateBuchungSchema,
UpdateBuchungSchema,
@@ -217,15 +217,19 @@ class BookingController {
return;
}
// Check ownership: creator can always cancel their own booking
// Check ownership: creator can cancel if they have cancel_own_bookings permission
const booking = await bookingService.getById(id);
if (!booking) {
res.status(404).json({ success: false, message: 'Buchung nicht gefunden' });
return;
}
const isOwner = booking.gebucht_von === req.user!.id;
const role = resolveRequestRole(req);
if (!isOwner && !hasPermission(role, 'bookings:write')) {
const groups: string[] = req.user?.groups ?? [];
const isAdmin = groups.includes('dashboard_admin');
const canCancelOwn = isAdmin || permissionService.hasPermission(groups, 'kalender:cancel_own_bookings');
const canCancelAny = isAdmin || permissionService.hasPermission(groups, 'kalender:delete_bookings');
if (!(isOwner && canCancelOwn) && !canCancelAny) {
res.status(403).json({ success: false, message: 'Keine Berechtigung' });
return;
}