one api endpoint for admin/non-admin

2026-03-04 15:07:13 +01:00 · 2021-06-16 23:18:24 +02:00
parent 498f212ee0
commit b6a1e45fcf
5 changed files with 28 additions and 77 deletions
--- a/pages/api/booking/[uuid]/index.ts
+++ b/pages/api/booking/[uuid]/index.ts
@@ -2,8 +2,9 @@ import { NextApiRequest, NextApiResponse } from 'next'
 import { BookingDocument } from '../../../../db/booking'
 import { BOOKING_STATUS } from '../../../../db/enums'
 import { getBookingByUUID } from '../../../../db/index'
+import withSession, { isAdminSession } from '../../../../lib/session'

-export default async function userHandler(
+export default withSession(async function userHandler(
  req: NextApiRequest,
  res: NextApiResponse
 ): Promise<void> {
@@ -19,19 +20,21 @@ export default async function userHandler(
  switch (method) {
    case 'PATCH':
      booking = await getBookingByUUID(uuid)
-      const readonlyProps = Object.keys(req.body).filter(
-        (key) => key !== 'status'
-      )

-      if (readonlyProps.length) {
-        res
-          .status(400)
-          .end(
-            `The following attributes cannot be changed: ${readonlyProps.join(
-              ', '
-            )}`
-          )
-        break
+      if (!isAdminSession(req)) {
+        const deniedPropsForUser = Object.keys(req.body).filter(
+          (key) => key !== 'status'
+        )
+        if (deniedPropsForUser.length) {
+          res
+            .status(400)
+            .end(
+              `The following attributes cannot be changed: ${deniedPropsForUser.join(
+                ', '
+              )}`
+            )
+          break
+        }
      }

      if (!Object.values(BOOKING_STATUS).includes(req.body.status)) {
@@ -45,12 +48,17 @@ export default async function userHandler(
        break
      }

-      booking.status = req.body.status
-      await booking.save()
-      res.status(200).json(booking.toJSON())
+      booking.set(req.body)
+      try {
+        await booking.save()
+        await booking.populate('booker').execPopulate()
+        res.status(200).json(booking.toJSON())
+      } catch (error) {
+        res.status(400).end(`Failed to save booking: ${error.message}`)
+      }
      break
    default:
      res.setHeader('Allow', ['PATCH'])
      res.status(405).end(`Method ${method} Not Allowed`)
  }
-}
+})