Implement access controlled edit schedule endpoint

Add PATCH /api/schedule endpoint for editing the schedule in a manner that's access controlled.
2025-03-11 14:11:05 +01:00 · 2025-03-11 14:11:05 +01:00 · 5255ed698e
commit 5255ed698e
parent bb306ee938
3 changed files with 121 additions and 0 deletions
--- a/server/api/schedule.patch.ts
+++ b/server/api/schedule.patch.ts
@ -0,0 +1,88 @@
+import type { SchedulePatch } from "~/shared/types/schedule";
+import { readAccounts, readSchedule, writeSchedule } from "~/server/database";
+import { broadcastUpdate } from "~/server/streams";
+import { applyChangeArray } from "~/shared/utils/changes";
+
+function isChange(change: unknown) {
+	return (
+		typeof change === "object"
+		&& change !== null
+		&& "op" in change
+		&& (
+			change.op === "set" || change.op === "del"
+		)
+		&& "data" in change
+		&& typeof change.data === "object"
+		&& change.data !== null
+		&& "id" in change.data
+		&& typeof change.data.id === "string"
+	)
+}
+
+function isChangeArray(data: unknown) {
+	return data instanceof Array && data.every(item => isChange(item));
+}
+
+function isPatch(data: unknown): SchedulePatch {
+	if (
+		typeof data !== "object"
+		|| data === null
+		|| data instanceof Array
+		|| "locations" in data && !isChangeArray(data.locations)
+		|| "events" in data && !isChangeArray(data.events)
+		|| "roles" in data && !isChangeArray(data.roles)
+		|| "rota" in data && !isChangeArray(data.rota)
+	)
+		throw new Error("Invalid patch data")
+	return data // TODO: Actually validate the whole structure with e.g ajv or zod
+}
+
+export default defineEventHandler(async (event) => {
+	const session = await requireAccountSession(event);
+	const accounts = await readAccounts();
+	const account = accounts.find(a => a.id === session.accountId);
+	if (!account) {
+		throw new Error("Account does not exist");
+	}
+
+	if (account.type !== "admin" && account.type !== "crew") {
+		throw createError({
+			status: 403,
+			statusMessage: "Forbidden",
+			message: "Only crew and admin accounts can edit the schedule.",
+		});
+	}
+
+	const schedule = await readSchedule();
+	const patch = await readValidatedBody(event, isPatch);
+
+	// Validate edit restrictions for crew
+	if (account.type === "crew") {
+		if (patch.locations?.length) {
+			throw createError({
+				status: 403,
+				statusMessage: "Forbidden",
+				message: "Only admin accounts can edit locations.",
+			});
+		}
+		for (const event of patch.events ?? []) {
+			const id = event.op === "set" ? event.data.id : event.id;
+			const original = schedule.events.find(e => e.id === id);
+			if (original && !original.crew) {
+				throw createError({
+					status: 403,
+					statusMessage: "Forbidden",
+					message: "Only admin accounts can edit public events.",
+				});
+			}
+		}
+	}
+
+	if (patch.events) applyChangeArray(patch.events, schedule.events);
+	if (patch.locations) applyChangeArray(patch.locations, schedule.locations);
+	if (patch.roles) applyChangeArray(patch.roles, schedule.roles = schedule.roles ?? []);
+	if (patch.rota) applyChangeArray(patch.rota, schedule.rota = schedule.rota ?? []);
+
+	await writeSchedule(schedule);
+	await broadcastUpdate(schedule);
+})