From 339fff18791a7c3ca7344b5e0c1c6fa67ca96646 Mon Sep 17 00:00:00 2001
From: vchikalkin <djchikalkin@gmail.com>
Date: Thu, 3 Jul 2025 17:23:36 +0300
Subject: [PATCH] fix(api/orders): refine permission checks for order access
 based on client and master roles

---
 packages/graphql/api/orders.ts | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/packages/graphql/api/orders.ts b/packages/graphql/api/orders.ts
index 0ff7ea1..f64eded 100644
--- a/packages/graphql/api/orders.ts
+++ b/packages/graphql/api/orders.ts
@@ -1,3 +1,4 @@
+/* eslint-disable sonarjs/cognitive-complexity */
 /* eslint-disable canonical/id-match */
 import { getClientWithToken } from '../apollo/client';
 import * as GQL from '../types';
@@ -141,13 +142,21 @@ export class OrdersService extends BaseService {
 
     if (!order) throw new Error(ERRORS.MISSING_ORDER);
 
-    const isMaster = isCustomerMaster(customer);
+    const isOrderClient = order.client?.documentId === customer.documentId;
+    const isOrderMaster = order.slot?.master?.documentId === customer.documentId;
 
-    const hasPermission =
-      (isMaster && order.slot?.master?.documentId === customer.documentId) ||
-      (!isMaster && order.client?.documentId === customer.documentId);
+    if (!isOrderClient && !isOrderMaster) throw new Error(ERRORS.NO_PERMISSION);
 
-    if (!hasPermission) throw new Error(ERRORS.NO_PERMISSION);
+    if (isOrderClient && Object.keys(variables.data).length > 1)
+      throw new Error(ERRORS.NO_PERMISSION);
+
+    if (
+      isOrderClient &&
+      variables.data.state &&
+      variables.data.state !== GQL.Enum_Order_State.Cancelling
+    ) {
+      throw new Error(ERRORS.NO_PERMISSION);
+    }
 
     const { mutate } = await getClientWithToken();