From a0e2f5e634ba256e1c111d16db6d5a82d80082f2 Mon Sep 17 00:00:00 2001
From: les <lesion@autistici.org>
Date: Mon, 28 Oct 2019 17:42:21 +0100
Subject: [PATCH] [fix] confirm/unconfirm event permission

---
 server/api/controller/event.js | 6 ++++++
 server/api/index.js            | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/server/api/controller/event.js b/server/api/controller/event.js
index 958fee5e..7cacf41b 100644
--- a/server/api/controller/event.js
+++ b/server/api/controller/event.js
@@ -124,6 +124,9 @@ const eventController = {
     const id = Number(req.params.event_id)
     const event = await Event.findByPk(id)
     if (!event) { return res.sendStatus(404) }
+    if (!req.user.is_admin && req.user.id !== event.userId) {
+      return res.sendStatus(403)
+    }
 
     try {
       event.is_visible = true
@@ -143,6 +146,9 @@ const eventController = {
     const id = Number(req.params.event_id)
     const event = await Event.findByPk(id)
     if (!event) { return req.sendStatus(404) }
+    if (!req.user.is_admin && req.user.id !== event.userId) {
+      return res.sendStatus(403)
+    }
 
     try {
       event.is_visible = false
diff --git a/server/api/index.js b/server/api/index.js
index bba88c21..9e28c1c4 100644
--- a/server/api/index.js
+++ b/server/api/index.js
@@ -83,8 +83,8 @@ api.post('/settings', fillUser, isAdmin, settingsController.setRequest)
 api.get('/settings/user_locale', settingsController.getUserLocale)
 
 // confirm event
-api.get('/event/confirm/:event_id', isAuth, isAdmin, eventController.confirm)
-api.get('/event/unconfirm/:event_id', isAuth, isAdmin, eventController.unconfirm)
+api.get('/event/confirm/:event_id', isAuth, eventController.confirm)
+api.get('/event/unconfirm/:event_id', isAuth, eventController.unconfirm)
 
 // get event
 api.get('/event/:event_id.:format?', fillUser, eventController.get)