recipes: restrict to-try page to editors, remove addedBy

- Gate page and API on rezepte_users group instead of any logged-in user - Remove addedBy field from schema, API POST, and ToTryCard display
2026-02-26 19:18:55 +01:00
parent 9ab7342a61
commit dd4680e946
4 changed files with 11 additions and 27 deletions
--- a/src/lib/components/recipes/ToTryCard.svelte
+++ b/src/lib/components/recipes/ToTryCard.svelte
@@ -90,17 +90,6 @@
 		color: var(--nord4);
 	}
 }
-.footer {
-	font-size: 0.72rem;
-	color: var(--nord3);
-	margin-top: auto;
-	padding-top: 0.3em;
-}
-@media (prefers-color-scheme: dark) {
-	.footer {
-		color: var(--nord4);
-	}
-}
 .card-btn {
 	position: absolute;
 	top: 0.5em;
@@ -155,8 +144,5 @@
 		{#if item.notes}
 			<p class="notes">{item.notes}</p>
 		{/if}
-		<div class="footer">
-			{isEnglish ? 'Added by' : 'Hinzugefügt von'} {item.addedBy}
-		</div>
 	</div>
 </div>
--- a/src/models/ToTryRecipe.ts
+++ b/src/models/ToTryRecipe.ts
@@ -9,8 +9,7 @@ const ToTryRecipeSchema = new mongoose.Schema(
        label: { type: String, default: '' }
      }
    ],
-    notes: { type: String, default: '' },
-    addedBy: { type: String, required: true }
+    notes: { type: String, default: '' }
  },
  { timestamps: true }
 );
--- a/src/routes/[recipeLang=recipeLang]/to-try/+page.server.ts
+++ b/src/routes/[recipeLang=recipeLang]/to-try/+page.server.ts
@@ -6,7 +6,7 @@ import { dbConnect } from '$utils/db';
 export const load: PageServerLoad = async ({ locals, params }) => {
    const session = await locals.auth();

-    if (!session?.user?.nickname) {
+    if (!session?.user?.groups?.includes('rezepte_users')) {
        throw redirect(302, `/${params.recipeLang}`);
    }

--- a/src/routes/api/[recipeLang=recipeLang]/to-try/+server.ts
+++ b/src/routes/api/[recipeLang=recipeLang]/to-try/+server.ts
@@ -5,8 +5,8 @@ import { dbConnect } from '$utils/db';
 export const GET: RequestHandler = async ({ locals }) => {
  const session = await locals.auth();

-  if (!session?.user?.nickname) {
-    throw error(401, 'Authentication required');
+  if (!session?.user?.groups?.includes('rezepte_users')) {
+    throw error(403, 'Forbidden');
  }

  await dbConnect();
@@ -22,8 +22,8 @@ export const GET: RequestHandler = async ({ locals }) => {
 export const POST: RequestHandler = async ({ request, locals }) => {
  const session = await locals.auth();

-  if (!session?.user?.nickname) {
-    throw error(401, 'Authentication required');
+  if (!session?.user?.groups?.includes('rezepte_users')) {
+    throw error(403, 'Forbidden');
  }

  const { name, links, notes } = await request.json();
@@ -42,8 +42,7 @@ export const POST: RequestHandler = async ({ request, locals }) => {
    const item = await ToTryRecipe.create({
      name: name.trim(),
      links: links.filter((l: any) => l.url?.trim()),
-      notes: notes?.trim() || '',
-      addedBy: session.user.nickname
+      notes: notes?.trim() || ''
    });
    return json(item, { status: 201 });
  } catch (e) {
@@ -54,8 +53,8 @@ export const POST: RequestHandler = async ({ request, locals }) => {
 export const PATCH: RequestHandler = async ({ request, locals }) => {
  const session = await locals.auth();

-  if (!session?.user?.nickname) {
-    throw error(401, 'Authentication required');
+  if (!session?.user?.groups?.includes('rezepte_users')) {
+    throw error(403, 'Forbidden');
  }

  const { id, name, links, notes } = await request.json();
@@ -99,8 +98,8 @@ export const PATCH: RequestHandler = async ({ request, locals }) => {
 export const DELETE: RequestHandler = async ({ request, locals }) => {
  const session = await locals.auth();

-  if (!session?.user?.nickname) {
-    throw error(401, 'Authentication required');
+  if (!session?.user?.groups?.includes('rezepte_users')) {
+    throw error(403, 'Forbidden');
  }

  const { id } = await request.json();