recipes: restrict to-try page to editors, remove addedBy

- Gate page and API on rezepte_users group instead of any logged-in user - Remove addedBy field from schema, API POST, and ToTryCard display
2026-02-26 19:18:55 +01:00
parent 9ab7342a61
commit dd4680e946
4 changed files with 11 additions and 27 deletions
--- a/src/lib/components/recipes/ToTryCard.svelte
+++ b/src/lib/components/recipes/ToTryCard.svelte
@@ -90,17 +90,6 @@
 		color: var(--nord4);
 	}
 }
 .footer {
 	font-size: 0.72rem;
 	color: var(--nord3);
 	margin-top: auto;
 	padding-top: 0.3em;
 }
@media (prefers-color-scheme: dark) {
 	.footer {
 		color: var(--nord4);
 	}
 }
 .card-btn {
 	position: absolute;
 	top: 0.5em;
@@ -155,8 +144,5 @@
 		{#if item.notes}
 			<p class="notes">{item.notes}</p>
 		{/if}
 		<div class="footer">
 			{isEnglish ? 'Added by' : 'Hinzugefügt von'} {item.addedBy}
 		</div>
 	</div>
 </div>
--- a/src/models/ToTryRecipe.ts
+++ b/src/models/ToTryRecipe.ts
@@ -9,8 +9,7 @@ const ToTryRecipeSchema = new mongoose.Schema(
        label: { type: String, default: '' }
      }
    ],
-    notes: { type: String, default: '' },
+    notes: { type: String, default: '' }
    addedBy: { type: String, required: true }
  },
  { timestamps: true }
 );
--- a/src/routes/[recipeLang=recipeLang]/to-try/+page.server.ts
+++ b/src/routes/[recipeLang=recipeLang]/to-try/+page.server.ts
@@ -6,7 +6,7 @@ import { dbConnect } from '$utils/db';
 export const load: PageServerLoad = async ({ locals, params }) => {
    const session = await locals.auth();
-    if (!session?.user?.nickname) {
+    if (!session?.user?.groups?.includes('rezepte_users')) {
        throw redirect(302, `/${params.recipeLang}`);
    }
--- a/src/routes/api/[recipeLang=recipeLang]/to-try/+server.ts
+++ b/src/routes/api/[recipeLang=recipeLang]/to-try/+server.ts
@@ -5,8 +5,8 @@ import { dbConnect } from '$utils/db';
 export const GET: RequestHandler = async ({ locals }) => {
  const session = await locals.auth();
-  if (!session?.user?.nickname) {
+  if (!session?.user?.groups?.includes('rezepte_users')) {
-    throw error(401, 'Authentication required');
+    throw error(403, 'Forbidden');
  }
  await dbConnect();
@@ -22,8 +22,8 @@ export const GET: RequestHandler = async ({ locals }) => {
 export const POST: RequestHandler = async ({ request, locals }) => {
  const session = await locals.auth();
-  if (!session?.user?.nickname) {
+  if (!session?.user?.groups?.includes('rezepte_users')) {
-    throw error(401, 'Authentication required');
+    throw error(403, 'Forbidden');
  }
  const { name, links, notes } = await request.json();
@@ -42,8 +42,7 @@ export const POST: RequestHandler = async ({ request, locals }) => {
    const item = await ToTryRecipe.create({
      name: name.trim(),
      links: links.filter((l: any) => l.url?.trim()),
-      notes: notes?.trim() || '',
+      notes: notes?.trim() || ''
      addedBy: session.user.nickname
    });
    return json(item, { status: 201 });
  } catch (e) {
@@ -54,8 +53,8 @@ export const POST: RequestHandler = async ({ request, locals }) => {
 export const PATCH: RequestHandler = async ({ request, locals }) => {
  const session = await locals.auth();
-  if (!session?.user?.nickname) {
+  if (!session?.user?.groups?.includes('rezepte_users')) {
-    throw error(401, 'Authentication required');
+    throw error(403, 'Forbidden');
  }
  const { id, name, links, notes } = await request.json();
@@ -99,8 +98,8 @@ export const PATCH: RequestHandler = async ({ request, locals }) => {
 export const DELETE: RequestHandler = async ({ request, locals }) => {
  const session = await locals.auth();
-  if (!session?.user?.nickname) {
+  if (!session?.user?.groups?.includes('rezepte_users')) {
-    throw error(401, 'Authentication required');
+    throw error(403, 'Forbidden');
  }
  const { id } = await request.json();