diff --git a/src/main/kotlin/com/android/trisolarisserver/controller/room/RoomStays.kt b/src/main/kotlin/com/android/trisolarisserver/controller/room/RoomStays.kt index 2f4c66f..bfb59f7 100644 --- a/src/main/kotlin/com/android/trisolarisserver/controller/room/RoomStays.kt +++ b/src/main/kotlin/com/android/trisolarisserver/controller/room/RoomStays.kt @@ -1,7 +1,6 @@ package com.android.trisolarisserver.controller.room import com.android.trisolarisserver.controller.common.parseOffset import com.android.trisolarisserver.controller.common.requireMember -import com.android.trisolarisserver.controller.common.requireRole import com.android.trisolarisserver.controller.common.requireRoomStayForProperty import com.android.trisolarisserver.component.auth.PropertyAccess @@ -11,6 +10,7 @@ import com.android.trisolarisserver.controller.dto.rate.RoomStayRateChangeRespon import com.android.trisolarisserver.models.property.Role import com.android.trisolarisserver.models.room.RateSource import com.android.trisolarisserver.models.room.RoomStay +import com.android.trisolarisserver.repo.booking.PaymentRepo import com.android.trisolarisserver.repo.property.PropertyUserRepo import com.android.trisolarisserver.repo.room.RoomStayRepo import com.android.trisolarisserver.security.MyPrincipal @@ -29,6 +29,7 @@ import java.util.UUID class RoomStays( private val propertyAccess: PropertyAccess, private val propertyUserRepo: PropertyUserRepo, + private val paymentRepo: PaymentRepo, private val roomStayRepo: RoomStayRepo ) { @@ -75,8 +76,20 @@ class RoomStays( @AuthenticationPrincipal principal: MyPrincipal?, @RequestBody request: RoomStayRateChangeRequest ): RoomStayRateChangeResponse { - requireRole(propertyAccess, propertyId, principal, Role.ADMIN, Role.MANAGER) + val actor = requireMember(propertyAccess, propertyId, principal) val stay = requireRoomStayForProperty(roomStayRepo, propertyId, roomStayId) + val roles = propertyUserRepo.findRolesByPropertyAndUser(propertyId, actor.userId) + val hasPrivilegedRole = roles.contains(Role.ADMIN) || roles.contains(Role.MANAGER) + val hasStaffRole = roles.contains(Role.STAFF) + if (!hasPrivilegedRole && !hasStaffRole) { + throw ResponseStatusException(HttpStatus.FORBIDDEN, "Missing role") + } + if (!hasPrivilegedRole && paymentRepo.existsByBookingId(stay.booking.id!!)) { + throw ResponseStatusException( + HttpStatus.FORBIDDEN, + "Rate changes are locked after first payment" + ) + } val effectiveAt = parseOffset(request.effectiveAt) ?: throw ResponseStatusException(HttpStatus.BAD_REQUEST, "effectiveAt required") diff --git a/src/main/kotlin/com/android/trisolarisserver/repo/booking/PaymentRepo.kt b/src/main/kotlin/com/android/trisolarisserver/repo/booking/PaymentRepo.kt index 9bf6340..a15a1d0 100644 --- a/src/main/kotlin/com/android/trisolarisserver/repo/booking/PaymentRepo.kt +++ b/src/main/kotlin/com/android/trisolarisserver/repo/booking/PaymentRepo.kt @@ -7,6 +7,7 @@ import org.springframework.data.repository.query.Param import java.util.UUID interface PaymentRepo : JpaRepository { + fun existsByBookingId(bookingId: UUID): Boolean fun findByBookingIdOrderByReceivedAtDesc(bookingId: UUID): List fun findByReference(reference: String): Payment? fun findByGatewayPaymentId(gatewayPaymentId: String): Payment?