From d033686e53d57e9dbeca69a16ac0efd616d5d76c Mon Sep 17 00:00:00 2001
From: androidlover5842 <androidlover5842@gmail.com>
Date: Thu, 29 Jan 2026 09:55:52 +0530
Subject: [PATCH] Restrict booking actions to admin/manager

---
 .../com/android/trisolarisserver/controller/BookingFlow.kt  | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/main/kotlin/com/android/trisolarisserver/controller/BookingFlow.kt b/src/main/kotlin/com/android/trisolarisserver/controller/BookingFlow.kt
index 935e347..af9254e 100644
--- a/src/main/kotlin/com/android/trisolarisserver/controller/BookingFlow.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/controller/BookingFlow.kt
@@ -435,7 +435,7 @@ class BookingFlow(
     }
 
     private fun requireActor(propertyId: UUID, principal: MyPrincipal?): com.android.trisolarisserver.models.property.AppUser {
-        val resolved = requireRole(propertyAccess, propertyId, principal, Role.ADMIN, Role.MANAGER, Role.STAFF)
+        val resolved = requireRole(propertyAccess, propertyId, principal, Role.ADMIN, Role.MANAGER)
         return appUserRepo.findById(resolved.userId).orElseThrow {
             ResponseStatusException(HttpStatus.UNAUTHORIZED, "User not found")
         }
@@ -462,9 +462,7 @@ class BookingFlow(
         property: com.android.trisolarisserver.models.property.Property,
         mode: TransportMode
     ): Boolean {
-        val allowed = if (property.allowedTransportModes.isNotEmpty()) {
-            property.allowedTransportModes
-        } else {
+        val allowed = property.allowedTransportModes.ifEmpty {
             TransportMode.entries.toSet()
         }
         return allowed.contains(mode)