diff --git a/packages/graphql/api/orders.ts b/packages/graphql/api/orders.ts index a1e421b..7847640 100644 --- a/packages/graphql/api/orders.ts +++ b/packages/graphql/api/orders.ts @@ -7,6 +7,7 @@ import { CustomersService } from './customers'; import { ServicesService } from './services'; import { SlotsService } from './slots'; import { type VariablesOf } from '@graphql-typed-document-node/core'; +import { isCustomerMaster } from '@repo/utils/customer'; import { formatTime, sumTime } from '@repo/utils/datetime-format'; const ERRORS = { @@ -14,10 +15,13 @@ const ERRORS = { INVALID_MASTER: 'Invalid master', INVALID_SERVICE_DURATION: 'Invalid service duration', MISSING_CLIENT: 'Missing client id', + MISSING_ORDER: 'Order not found', MISSING_SERVICE_ID: 'Missing service id', MISSING_SERVICES: 'Missing services', MISSING_SLOT: 'Missing slot id', MISSING_START_TIME: 'Missing time start', + MISSING_USER: 'User not found', + NO_PERMISSION: 'No permission', SLOT_CLOSED: 'Slot is closed', }; @@ -112,6 +116,30 @@ export class OrdersService extends BaseService { } async updateOrder(variables: VariablesOf) { + const customersService = new CustomersService(this.customer); + const { customer } = await customersService.getCustomer(this.customer); + + if (!customer) throw new Error(ERRORS.MISSING_USER); + + const { query } = await getClientWithToken(); + + const { + data: { order }, + } = await query({ + query: GQL.GetOrderDocument, + variables: { documentId: variables.documentId }, + }); + + if (!order) throw new Error(ERRORS.MISSING_ORDER); + + const isMaster = isCustomerMaster(customer); + + const hasPermission = + (isMaster && order.slot?.master?.documentId === customer.documentId) || + (!isMaster && order.client?.documentId === customer.documentId); + + if (!hasPermission) throw new Error(ERRORS.NO_PERMISSION); + const { mutate } = await getClientWithToken(); const mutationResult = await mutate({