api/orders: protect update order

packages/graphql/api/orders.ts

@@ -7,6 +7,7 @@ import { CustomersService } from './customers';
 import { ServicesService } from './services';
 import { SlotsService } from './slots';
 import { type VariablesOf } from '@graphql-typed-document-node/core';
+import { isCustomerMaster } from '@repo/utils/customer';
 import { formatTime, sumTime } from '@repo/utils/datetime-format';
 
 const ERRORS = {
@@ -14,10 +15,13 @@ const ERRORS = {
   INVALID_MASTER: 'Invalid master',
   INVALID_SERVICE_DURATION: 'Invalid service duration',
   MISSING_CLIENT: 'Missing client id',
+  MISSING_ORDER: 'Order not found',
   MISSING_SERVICE_ID: 'Missing service id',
   MISSING_SERVICES: 'Missing services',
   MISSING_SLOT: 'Missing slot id',
   MISSING_START_TIME: 'Missing time start',
+  MISSING_USER: 'User not found',
+  NO_PERMISSION: 'No permission',
   SLOT_CLOSED: 'Slot is closed',
 };
 
@@ -112,6 +116,30 @@ export class OrdersService extends BaseService {
   }
 
   async updateOrder(variables: VariablesOf<typeof GQL.UpdateOrderDocument>) {
+    const customersService = new CustomersService(this.customer);
+    const { customer } = await customersService.getCustomer(this.customer);
+
+    if (!customer) throw new Error(ERRORS.MISSING_USER);
+
+    const { query } = await getClientWithToken();
+
+    const {
+      data: { order },
+    } = await query({
+      query: GQL.GetOrderDocument,
+      variables: { documentId: variables.documentId },
+    });
+
+    if (!order) throw new Error(ERRORS.MISSING_ORDER);
+
+    const isMaster = isCustomerMaster(customer);
+
+    const hasPermission =
+      (isMaster && order.slot?.master?.documentId === customer.documentId) ||
+      (!isMaster && order.client?.documentId === customer.documentId);
+
+    if (!hasPermission) throw new Error(ERRORS.NO_PERMISSION);
+
     const { mutate } = await getClientWithToken();
 
     const mutationResult = await mutate({