Restrict room create/update to admins

2026-02-01 23:32:04 +05:30
parent d01b853f5e
commit ba5bd0ca02
1 changed files with 3 additions and 5 deletions
--- a/src/main/kotlin/com/android/trisolarisserver/controller/room/Rooms.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/controller/room/Rooms.kt
@@ -1,7 +1,7 @@
 package com.android.trisolarisserver.controller.room
 import com.android.trisolarisserver.controller.common.parseDate
 import com.android.trisolarisserver.controller.common.requireMember
 import com.android.trisolarisserver.controller.common.requirePrincipal
 import com.android.trisolarisserver.controller.common.requireRole
 import com.android.trisolarisserver.component.auth.PropertyAccess
 import com.android.trisolarisserver.component.room.RoomBoardEvents
@@ -280,8 +280,7 @@ class Rooms(
        @AuthenticationPrincipal principal: MyPrincipal?,
        @RequestBody request: RoomUpsertRequest
    ): RoomResponse {
-        requirePrincipal(principal)
+        requireRole(propertyAccess, propertyId, principal, Role.ADMIN)
        propertyAccess.requireMember(propertyId, principal!!.userId)
        if (roomRepo.existsByPropertyIdAndRoomNumber(propertyId, request.roomNumber)) {
            throw ResponseStatusException(HttpStatus.CONFLICT, "Room number already exists for property")
@@ -327,8 +326,7 @@ class Rooms(
        @AuthenticationPrincipal principal: MyPrincipal?,
        @RequestBody request: RoomUpsertRequest
    ): RoomResponse {
-        requirePrincipal(principal)
+        requireRole(propertyAccess, propertyId, principal, Role.ADMIN)
        propertyAccess.requireMember(propertyId, principal!!.userId)
        val room = roomRepo.findByIdAndPropertyId(roomId, propertyId)
            ?: throw ResponseStatusException(HttpStatus.NOT_FOUND, "Room not found for property")