github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: restrict trip listing and access to own/shared trips only (#250)

Browse Source 
Remove admin override that returned all trips regardless of ownership.
Admins now see only their own trips and trips where they are a member.
This commit is contained in:
Maurice
2026-04-01 09:29:28 +02:00
parent fb2e8d8209
commit 8c85ea3644
1 changed files with 11 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
server/src/routes/trips.ts
View File

@@ -126,19 +126,12 @@ router.get('/', authenticate, (req: Request, res: Response) => {
const authReq = req as AuthRequest; const authReq = req as AuthRequest;
const archived = req.query.archived === '1' ? 1 : 0; const archived = req.query.archived === '1' ? 1 : 0;
const userId = authReq.user.id; const userId = authReq.user.id;
const isAdminUser = authReq.user.role === 'admin'; const trips = db.prepare(`
const trips = isAdminUser ${TRIP_SELECT}
? db.prepare(` LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = :userId
${TRIP_SELECT} WHERE (t.user_id = :userId OR m.user_id IS NOT NULL) AND t.is_archived = :archived
WHERE t.is_archived = :archived ORDER BY t.created_at DESC
ORDER BY t.created_at DESC `).all({ userId, archived });
`).all({ userId, archived })
: db.prepare(`
${TRIP_SELECT}
LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = :userId
WHERE (t.user_id = :userId OR m.user_id IS NOT NULL) AND t.is_archived = :archived
ORDER BY t.created_at DESC
`).all({ userId, archived });
res.json({ trips }); res.json({ trips });
}); });
@@ -171,14 +164,11 @@ router.post('/', authenticate, (req: Request, res: Response) => {
router.get('/:id', authenticate, (req: Request, res: Response) => { router.get('/:id', authenticate, (req: Request, res: Response) => {
const authReq = req as AuthRequest; const authReq = req as AuthRequest;
const userId = authReq.user.id; const userId = authReq.user.id;
const isAdminUser = authReq.user.role === 'admin'; const trip = db.prepare(`
const trip = isAdminUser ${TRIP_SELECT}
? db.prepare(`${TRIP_SELECT} WHERE t.id = :tripId`).get({ userId, tripId: req.params.id }) LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = :userId
: db.prepare(` WHERE t.id = :tripId AND (t.user_id = :userId OR m.user_id IS NOT NULL)
${TRIP_SELECT} `).get({ userId, tripId: req.params.id });
LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = :userId
WHERE t.id = :tripId AND (t.user_id = :userId OR m.user_id IS NOT NULL)
`).get({ userId, tripId: req.params.id });
if (!trip) return res.status(404).json({ error: 'Trip not found' }); if (!trip) return res.status(404).json({ error: 'Trip not found' });
res.json({ trip }); res.json({ trip });
}); });