From 417e004141af00ad5e5e34f427a930f3ce19d30e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20G=C3=BCndling?= <felix.guendling@gmail.com>
Date: Mon, 24 Feb 2025 12:04:19 +0100
Subject: [PATCH] cancel request: user + time check (#226)

* cancel request: user + time check

* Add where clause in cancel_request stored procedure early exit

---------

Co-authored-by: nils <penzel.nils@web.de>
---
 migrations/2024-07-01.js                      | 30 ++++++++++++++++---
 src/lib/server/db/cancelRequest.test.ts       | 12 ++++----
 src/lib/server/db/cancelRequest.ts            |  4 +--
 src/lib/testHelpers.ts                        |  2 +-
 .../bookings/[slug]/+page.server.ts           |  9 ++----
 .../(customer)/bookings/[slug]/+page.svelte   |  3 +-
 6 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/migrations/2024-07-01.js b/migrations/2024-07-01.js
index fbc0edd6..7793db38 100644
--- a/migrations/2024-07-01.js
+++ b/migrations/2024-07-01.js
@@ -375,7 +375,7 @@ END;
 $$ LANGUAGE plpgsql;
 `.execute(db);
 
-await sql`
+	await sql`
 CREATE OR REPLACE FUNCTION create_and_merge_tours(
 	p_request request_type,
 	p_event1 event_type,
@@ -412,14 +412,36 @@ END;
 $$ LANGUAGE plpgsql;
 `.execute(db);
 
-await sql`
+	await sql`
 CREATE OR REPLACE PROCEDURE cancel_request(
-	p_request_id INTEGER
+	p_request_id INTEGER,
+	p_user_id INTEGER,
+	p_now BIGINT
 ) AS $$
 DECLARE
 	v_tour_id INTEGER;
 	v_all_requests_cancelled BOOLEAN;
 BEGIN
+	IF NOT EXISTS (
+	    SELECT 1
+			FROM request r
+	    WHERE r.customer = p_user_id
+			AND r.id = p_request_id
+	) THEN
+	    RETURN;
+	END IF;
+
+	IF (
+		SELECT communicated_time
+		FROM request r
+		JOIN event e ON r.id = e.request
+		WHERE r.id = p_request_id
+		ORDER BY e.communicated_time ASC
+		LIMIT 1
+	) <= p_now THEN
+		RETURN;
+	END IF;
+
 	UPDATE request r
 	SET cancelled = true
 	WHERE r.id = p_request_id;
@@ -445,7 +467,7 @@ END;
 $$ LANGUAGE plpgsql;
 `.execute(db);
 
-await sql`
+	await sql`
 CREATE OR REPLACE PROCEDURE cancel_tour(
 	p_tour_id INTEGER,
 	p_company_id INTEGER,
diff --git a/src/lib/server/db/cancelRequest.test.ts b/src/lib/server/db/cancelRequest.test.ts
index b2d2ad0f..0124e3ac 100644
--- a/src/lib/server/db/cancelRequest.test.ts
+++ b/src/lib/server/db/cancelRequest.test.ts
@@ -22,13 +22,13 @@ describe('tests for cancelling requests', () => {
 		const v = await addTaxi(c, { passengers: 0, bikes: 0, wheelchairs: 0, luggage: 0 });
 		const t = await setTour(v, 0, 0);
 		const r = (await setRequest(t!.id, u.id, '')).id;
-		const e1 = await setEvent(r, 0, true, 1, 1);
-		const e2 = await setEvent(r, 0, false, 1, 1);
+		const e1 = await setEvent(r, Date.now() + 7200, true, 1, 1);
+		const e2 = await setEvent(r, Date.now() + 7200, false, 1, 1);
 		const r2 = (await setRequest(t!.id, u.id, '')).id;
-		await setEvent(r2, 0, true, 1, 1);
-		await setEvent(r2, 0, false, 1, 1);
+		await setEvent(r2, Date.now() + 7200, true, 1, 1);
+		await setEvent(r2, Date.now() + 7200, false, 1, 1);
 
-		await cancelRequest(r);
+		await cancelRequest(r, u.id);
 		const events = await selectEvents();
 		expect(events.length).toBe(4);
 		events.forEach((e) => {
@@ -45,7 +45,7 @@ describe('tests for cancelling requests', () => {
 			}
 		});
 
-		await cancelRequest(r2);
+		await cancelRequest(r2, u.id);
 		const events2 = await selectEvents();
 		expect(events2.length).toBe(4);
 		events2.forEach((e) => {
diff --git a/src/lib/server/db/cancelRequest.ts b/src/lib/server/db/cancelRequest.ts
index cb2b2fb4..89c169cf 100644
--- a/src/lib/server/db/cancelRequest.ts
+++ b/src/lib/server/db/cancelRequest.ts
@@ -1,6 +1,6 @@
 import { sql } from 'kysely';
 import { db } from '.';
 
-export const cancelRequest = async (requestId: number) => {
-	await sql`CALL cancel_request(${requestId})`.execute(db);
+export const cancelRequest = async (requestId: number, userId: number) => {
+	await sql`CALL cancel_request(${requestId}, ${userId}, ${Date.now()})`.execute(db);
 };
diff --git a/src/lib/testHelpers.ts b/src/lib/testHelpers.ts
index 6245474d..df0a0b48 100644
--- a/src/lib/testHelpers.ts
+++ b/src/lib/testHelpers.ts
@@ -108,7 +108,7 @@ export const setEvent = async (
 				address: '',
 				cancelled: false
 			})
-			.returning('id')
+			.returning('event.id')
 			.executeTakeFirstOrThrow()
 	).id;
 };
diff --git a/src/routes/(customer)/bookings/[slug]/+page.server.ts b/src/routes/(customer)/bookings/[slug]/+page.server.ts
index 2ea38b2b..01492474 100644
--- a/src/routes/(customer)/bookings/[slug]/+page.server.ts
+++ b/src/routes/(customer)/bookings/[slug]/+page.server.ts
@@ -40,14 +40,9 @@ export const load: PageServerLoad = async ({ params, locals }) => {
 
 export const actions = {
 	default: async ({ request, locals }): Promise<{ msg: Msg }> => {
-		const user = locals.session?.userId;
 		const formData = await request.formData();
-		const customer = readInt(formData.get('customerId'));
-		if (!user || user != customer) {
-			return { msg: msg('accountDoesNotExist') };
-		}
 		const requestId = readInt(formData.get('requestId'));
-		await cancelRequest(requestId);
-		return { msg: msg('requestCancelled') };
+		await cancelRequest(requestId, locals.session!.userId!);
+		return { msg: msg('requestCancelled', 'success') };
 	}
 };
diff --git a/src/routes/(customer)/bookings/[slug]/+page.svelte b/src/routes/(customer)/bookings/[slug]/+page.svelte
index 9154c10e..02378dc8 100644
--- a/src/routes/(customer)/bookings/[slug]/+page.svelte
+++ b/src/routes/(customer)/bookings/[slug]/+page.svelte
@@ -68,8 +68,7 @@
 								<AlertDialog.Cancel>{t.booking.noCancel}</AlertDialog.Cancel>
 								<form method="post" use:enhance>
 									<input type="hidden" name="requestId" value={data.requestId} />
-									<input type="hidden" name="customerId" value={data.customer} />
-									<AlertDialog.Action type="submit">
+									<AlertDialog.Action>
 										{t.booking.cancelTrip}
 									</AlertDialog.Action>
 								</form>