From ec294eaabe19e792cefd74df89b84a3784953a24 Mon Sep 17 00:00:00 2001
From: Thomas Ruoff <ThomasRuoff@gmail.com>
Date: Tue, 25 Aug 2020 23:56:41 +0200
Subject: [PATCH] add patch for bookings and only allow status

---
 db/index.js                 |  8 ++++++--
 pages/api/booking/[uuid].js | 37 +++++++++++++++++++++++++++++++++++--
 2 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/db/index.js b/db/index.js
index 48a807a..dd0f2f4 100644
--- a/db/index.js
+++ b/db/index.js
@@ -42,8 +42,12 @@ export async function getBookedDays() {
 export async function getBookingByUUID(uuid) {
   await connect()
   const booking = await Booking.findOne({ uuid })
-  await booking.populate('booker').execPopulate()
-  return booking
+  return booking.populate('booker').execPopulate()
+}
+
+export async function getBookingByUUIDAsJSON(uuid) {
+  const booking = await getBookingByUUID(uuid)
+  return booking.toJSON()
 }
 
 export async function createBooking({
diff --git a/pages/api/booking/[uuid].js b/pages/api/booking/[uuid].js
index a9e8933..29ce52f 100644
--- a/pages/api/booking/[uuid].js
+++ b/pages/api/booking/[uuid].js
@@ -1,4 +1,5 @@
-import { getBookingByUUID, createBooking } from '../../../db/index'
+import { getBookingByUUID, getBookingByUUIDAsJSON } from '../../../db/index'
+import { BOOKING_STATUS } from '../../../db/bookingStatus'
 
 export default async function userHandler(req, res) {
   const {
@@ -10,9 +11,41 @@ export default async function userHandler(req, res) {
 
   switch (method) {
     case 'GET':
-      booking = await getBookingByUUID(uuid)
+      booking = await getBookingByUUIDAsJSON(uuid)
       res.status(200).json(booking)
       break
+    case 'PATCH':
+      booking = await getBookingByUUID(uuid)
+      const readonlyProps = Object.keys(req.body).filter(
+        (key) => key !== 'status'
+      )
+
+      if (readonlyProps.length) {
+        res
+          .status(400)
+          .end(
+            `The following attributes cannot be changed: ${readonlyProps.join(
+              ', '
+            )}`
+          )
+        break
+      }
+
+      if (!Object.values(BOOKING_STATUS).includes(req.body.status)) {
+        res
+          .status(400)
+          .end(
+            `The attribute status can only be: ${Object.values(
+              BOOKING_STATUS
+            ).join(', ')}`
+          )
+        break
+      }
+
+      booking.status = req.body.status
+      await booking.save()
+      res.status(200).json(booking.toJSON())
+      break
     default:
       res.setHeader('Allow', ['POST'])
       res.status(405).end(`Method ${method} Not Allowed`)