From 686fe60b80f622093fe1d907d4d4418976fbea11 Mon Sep 17 00:00:00 2001
From: vchikalkin <djchikalkin@gmail.com>
Date: Thu, 3 Jul 2025 22:31:41 +0300
Subject: [PATCH] feat(api/orders): add validation to prevent masters from
 recording other masters as clients

---
 packages/graphql/api/orders.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/packages/graphql/api/orders.ts b/packages/graphql/api/orders.ts
index f64eded..f9b55fa 100644
--- a/packages/graphql/api/orders.ts
+++ b/packages/graphql/api/orders.ts
@@ -67,6 +67,15 @@ export class OrdersService extends BaseService {
       }
     }
 
+    if (isMaster) {
+      const { customers: myMasters } = await customersService.getMasters(this.customer);
+
+      const clientId = variables.input.client;
+      const isTryingToRecordMaster = myMasters.some((master) => master?.documentId === clientId);
+
+      if (isTryingToRecordMaster) throw new Error(ERRORS.INVALID_CLIENT);
+    }
+
     if (isMaster && slot?.master?.documentId !== customer.documentId) {
       throw new Error(ERRORS.INVALID_MASTER);
     }