fix: restrict trip listing and access to own/shared trips only (#250)

Remove admin override that returned all trips regardless of ownership. Admins now see only their own trips and trips where they are a member.
2026-04-01 09:29:28 +02:00
parent fb2e8d8209
commit 8c85ea3644
1 changed files with 11 additions and 21 deletions
--- a/server/src/routes/trips.ts
+++ b/server/src/routes/trips.ts
@@ -126,14 +126,7 @@ router.get('/', authenticate, (req: Request, res: Response) => {
  const authReq = req as AuthRequest;
  const archived = req.query.archived === '1' ? 1 : 0;
  const userId = authReq.user.id;
-  const isAdminUser = authReq.user.role === 'admin';
-  const trips = isAdminUser
-    ? db.prepare(`
-        ${TRIP_SELECT}
-        WHERE t.is_archived = :archived
-        ORDER BY t.created_at DESC
-      `).all({ userId, archived })
-    : db.prepare(`
+  const trips = db.prepare(`
    ${TRIP_SELECT}
    LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = :userId
    WHERE (t.user_id = :userId OR m.user_id IS NOT NULL) AND t.is_archived = :archived
@@ -171,10 +164,7 @@ router.post('/', authenticate, (req: Request, res: Response) => {
 router.get('/:id', authenticate, (req: Request, res: Response) => {
  const authReq = req as AuthRequest;
  const userId = authReq.user.id;
-  const isAdminUser = authReq.user.role === 'admin';
-  const trip = isAdminUser
-    ? db.prepare(`${TRIP_SELECT} WHERE t.id = :tripId`).get({ userId, tripId: req.params.id })
-    : db.prepare(`
+  const trip = db.prepare(`
    ${TRIP_SELECT}
    LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = :userId
    WHERE t.id = :tripId AND (t.user_id = :userId OR m.user_id IS NOT NULL)