Allow staff rate changes only before first payment

2026-02-02 07:26:49 +05:30
parent f33d0f1f39
commit 240e8fca25
2 changed files with 16 additions and 2 deletions
--- a/src/main/kotlin/com/android/trisolarisserver/controller/room/RoomStays.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/controller/room/RoomStays.kt
@@ -1,7 +1,6 @@
 package com.android.trisolarisserver.controller.room
 import com.android.trisolarisserver.controller.common.parseOffset
 import com.android.trisolarisserver.controller.common.requireMember
-import com.android.trisolarisserver.controller.common.requireRole
 import com.android.trisolarisserver.controller.common.requireRoomStayForProperty

 import com.android.trisolarisserver.component.auth.PropertyAccess
@@ -11,6 +10,7 @@ import com.android.trisolarisserver.controller.dto.rate.RoomStayRateChangeRespon
 import com.android.trisolarisserver.models.property.Role
 import com.android.trisolarisserver.models.room.RateSource
 import com.android.trisolarisserver.models.room.RoomStay
+import com.android.trisolarisserver.repo.booking.PaymentRepo
 import com.android.trisolarisserver.repo.property.PropertyUserRepo
 import com.android.trisolarisserver.repo.room.RoomStayRepo
 import com.android.trisolarisserver.security.MyPrincipal
@@ -29,6 +29,7 @@ import java.util.UUID
 class RoomStays(
    private val propertyAccess: PropertyAccess,
    private val propertyUserRepo: PropertyUserRepo,
+    private val paymentRepo: PaymentRepo,
    private val roomStayRepo: RoomStayRepo
 ) {

@@ -75,8 +76,20 @@ class RoomStays(
        @AuthenticationPrincipal principal: MyPrincipal?,
        @RequestBody request: RoomStayRateChangeRequest
    ): RoomStayRateChangeResponse {
-        requireRole(propertyAccess, propertyId, principal, Role.ADMIN, Role.MANAGER)
+        val actor = requireMember(propertyAccess, propertyId, principal)
        val stay = requireRoomStayForProperty(roomStayRepo, propertyId, roomStayId)
+        val roles = propertyUserRepo.findRolesByPropertyAndUser(propertyId, actor.userId)
+        val hasPrivilegedRole = roles.contains(Role.ADMIN) || roles.contains(Role.MANAGER)
+        val hasStaffRole = roles.contains(Role.STAFF)
+        if (!hasPrivilegedRole && !hasStaffRole) {
+            throw ResponseStatusException(HttpStatus.FORBIDDEN, "Missing role")
+        }
+        if (!hasPrivilegedRole && paymentRepo.existsByBookingId(stay.booking.id!!)) {
+            throw ResponseStatusException(
+                HttpStatus.FORBIDDEN,
+                "Rate changes are locked after first payment"
+            )
+        }

        val effectiveAt = parseOffset(request.effectiveAt)
            ?: throw ResponseStatusException(HttpStatus.BAD_REQUEST, "effectiveAt required")
--- a/src/main/kotlin/com/android/trisolarisserver/repo/booking/PaymentRepo.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/repo/booking/PaymentRepo.kt
@@ -7,6 +7,7 @@ import org.springframework.data.repository.query.Param
 import java.util.UUID

 interface PaymentRepo : JpaRepository<Payment, UUID> {
+    fun existsByBookingId(bookingId: UUID): Boolean
    fun findByBookingIdOrderByReceivedAtDesc(bookingId: UUID): List<Payment>
    fun findByReference(reference: String): Payment?
    fun findByGatewayPaymentId(gatewayPaymentId: String): Payment?