fix: check for correct user when displaying reservation

City-of-Helsinki · May 7, 2024 · fb08651 · fb08651
1 parent 43738b2
commit fb08651
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/apps/ui/modules/queries/reservation.tsx b/apps/ui/modules/queries/reservation.tsx
@@ -170,6 +170,7 @@ export const GET_RESERVATION = gql`
       calendarUrl
       user {
         email
+        pk
       }
       state
       price

diff --git a/apps/ui/pages/reservations/[id]/index.tsx b/apps/ui/pages/reservations/[id]/index.tsx
@@ -1,5 +1,6 @@
 import React, { useMemo } from "react";
 import type { GetServerSidePropsContext } from "next";
+import Error from "next/error";
 import { serverSideTranslations } from "next-i18next/serverSideTranslations";
 import styled from "styled-components";
 import router from "next/router";
@@ -402,7 +403,7 @@ function Reservation({
   reservation,
 }: PropsNarrowed): JSX.Element | null {
   const { t, i18n } = useTranslation();
-  const { isAuthenticated } = useSession();
+  const { isAuthenticated, user } = useSession();
 
   // TODO this should be moved to SSR also
   const { order, isLoading: orderLoading } = useOrder({
@@ -465,12 +466,15 @@ function Reservation({
         return null;
     }
   }, [reservation]);
-
+;
   // NOTE should never end up here (SSR redirect to login)
-  if (!isAuthenticated) {
+  if (!isAuthenticated || reservation.user?.pk !== user?.pk) {
     return <div>{t("common:error.notAuthenticated")}</div>;
   }
 
+  if (reservation.user?.pk !== user?.pk) {
+    return <Error statusCode={403} />;
+  }
   const normalizedOrderStatus =
     getNormalizedReservationOrderStatus(reservation);