alvin/Challenge_15_Magazijn_App_Maken
1
0
Fork 0
mirror of https://github.com/Alvin-Zilverstand/Challenge_15_Magazijn_App_Maken.git synced 2026-03-06 11:06:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update reservation status logic and improve authorization checks for return requests

Browse Source
This commit is contained in:
Alvin
2025-10-22 14:39:29 +02:00
parent 68b0f9c557
commit cb2a0b4344
2 changed files with 20 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
public/js/admin-reservations.js
View File

@@ -83,7 +83,7 @@ function filterAndDisplayReservations() {
<i class="bi bi-x-lg"></i><span class="btn-text"> Reject Return</span> <i class="bi bi-x-lg"></i><span class="btn-text"> Reject Return</span>
</button> </button>
` : reservation.status === 'APPROVED' ? ` ` : reservation.status === 'APPROVED' ? `
<span class="text-info"><i class="bi bi-check-circle"></i><span class="btn-text"> Item Loaned</span></span> <span class="text-success"><i class="bi bi-check-circle"></i><span class="btn-text"> Currently Borrowed</span></span>
` : reservation.status === 'RETURNED' ? ` ` : reservation.status === 'RETURNED' ? `
<button class="btn btn-secondary" onclick="archiveReservation('${reservation._id}')" title="Archive Reservation"> <button class="btn btn-secondary" onclick="archiveReservation('${reservation._id}')" title="Archive Reservation">
<i class="bi bi-archive"></i><span class="btn-text"> Archive</span> <i class="bi bi-archive"></i><span class="btn-text"> Archive</span>

32
routes/reservations.js
View File

@@ -97,7 +97,7 @@ router.post('/', auth, async (req, res) => {
} }
}); });
// Update reservation status (admin can update any, students can only mark as returned) // Update reservation status (admin can update any, students can only request returns)
router.patch('/:id', auth, async (req, res) => { router.patch('/:id', auth, async (req, res) => {
try { try {
const reservation = await Reservation.findById(req.params.id).populate('userId'); const reservation = await Reservation.findById(req.params.id).populate('userId');
@@ -108,19 +108,25 @@ router.patch('/:id', auth, async (req, res) => {
// Check authorization // Check authorization
const isAdmin = req.user.role === 'admin'; const isAdmin = req.user.role === 'admin';
const isOwner = reservation.userId._id.toString() === req.user._id.toString(); const isOwner = reservation.userId._id.toString() === req.user._id.toString();
const isReturning = req.body.status === 'RETURN_PENDING'; const isRequestingReturn = req.body.status === 'RETURN_PENDING';
if (!isAdmin && (!isOwner || !isReturning)) { // Students can only request returns on their own approved reservations
return res.status(403).json({ if (!isAdmin) {
message: 'Not authorized. Students can only request return of their own items.' if (!isOwner) {
}); return res.status(403).json({
} message: 'Not authorized. Students can only request return of their own items.'
});
// Additional validation for students }
if (!isAdmin && isReturning && reservation.status !== 'APPROVED') { if (!isRequestingReturn) {
return res.status(400).json({ return res.status(403).json({
message: 'Can only request return for approved items' message: 'Students can only request returns, not change other statuses.'
}); });
}
if (reservation.status !== 'APPROVED') {
return res.status(400).json({
message: 'Can only request return for approved items'
});
}
} }
const item = await Item.findById(reservation.itemId); const item = await Item.findById(reservation.itemId);