From 593cf6c6d6f17e5b4a76a9ae979a4436552dd2a8 Mon Sep 17 00:00:00 2001
From: lesion <lesion@autistici.org>
Date: Fri, 2 Dec 2022 14:31:41 +0100
Subject: [PATCH] verify event permission in UI, fix #213

---
 pages/add/_edit.vue | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/pages/add/_edit.vue b/pages/add/_edit.vue
index 338baeef..1b97dd4f 100644
--- a/pages/add/_edit.vue
+++ b/pages/add/_edit.vue
@@ -91,17 +91,33 @@ export default {
     WhereInput,
     DateInput
   },
-  validate({ store }) {
-    return (store.state.auth.loggedIn || store.state.settings.allow_anon_event)
+  validate({ store, params, error }) {
+    // should we allow anon event?
+    if(!store.state.settings.allow_anon_event && !store.state.auth.loggedIn) {
+      return error({ statusCode: 401, message: 'Not allowed'})
+    }
+
+    // do not allow edit to anon users
+    if (params.edit && !store.state.auth.loggedIn) {
+      return error({ statusCode: 401, message: 'Not allowed'})
+    }
+    
+    return true
+    
   },
-  async asyncData({ params, $axios, error }) {
+  async asyncData({ params, $axios, error, $auth, store }) {
     if (params.edit) {
+
       const data = { event: { place: {}, media: [] } }
       data.id = params.edit
       data.edit = true
       let event
       try {
         event = await $axios.$get('/event/' + data.id)
+        if (!$auth.user.is_admin && $auth.user.id !== event.userId) {
+          error({ statusCode: 401, message: 'Not allowed' })
+          return {}
+        }
       } catch (e) {
         error({ statusCode: 404, message: 'Event not found!' })
         return {}