Fix: delete registration api permisstion

pbc1017 · pbc1017 · commit 24e596dc8ab4 · 2024-03-08T00:40:03.000+09:00
diff --git a/back/routes/registration.js b/back/routes/registration.js
@@ -264,7 +264,7 @@ router.post("/edit_registration", async (req, res) => {
       if (registration.type_id != 2) {
         const authorized = await checkPermission(req, res, [
           { club_rep: 4, club_id: registration.club_id },
-          // { executive: 4 },
+          { executive: 3 },
         ]);
         if (!authorized) {
           return;
@@ -394,6 +394,18 @@ router.post("/edit_registration", async (req, res) => {
 router.post("/delete_registration", async (req, res) => {
   const { id } = req.query;
 
+  if (!registration.student_id === req.session.user.student_id) {
+    if (registration.type_id != 2) {
+      const authorized = await checkPermission(req, res, [
+        { club_rep: 4, club_id: registration.club_id },
+        { executive: 3 },
+      ]);
+      if (!authorized) {
+        return;
+      }
+    }
+  }
+
   const registration = await Registration.findByPk(id);
   if (!registration) {
     return res
@@ -435,6 +447,11 @@ router.post("/delete_registration", async (req, res) => {
       transaction,
     });
 
+    await RegistrationFeedback.destroy({
+      where: { registration: id },
+      transaction,
+    });
+
     // 관련 RegistrationSign 삭제
     await RegistrationSign.destroy({
       where: { registration: id },
@@ -540,7 +557,7 @@ router.get("/get_registration", async (req, res) => {
       if (registration.type_id != 2) {
         const authorized = await checkPermission(req, res, [
           { club_rep: 4, club_id: registration.club_id },
-          // { executive: 4 },
+          { executive: 4 },
         ]);
         if (!authorized) {
           return;
