feat(GRO-635): implement groomer data isolation in appointmentGroups, groomingLogs + fix batherStaffId conflict check

- appointmentGroups: use Hono<AppEnv>(), add groomer isolation on all endpoints - groomingLogs: use Hono<AppEnv>(), add groomer isolation on all endpoints - appointments: add batherStaffId conflict check in POST and PATCH handlers - Non-groomer roles retain full access on all endpoints Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-14 13:50:03 +00:00
parent c438f5772c
commit 5e24678fa5
3 changed files with 217 additions and 11 deletions
@@ -163,6 +163,29 @@ appointmentsRouter.post(
          }
        }

+        // Check batherStaffId conflicts if set
+        if (apptFields.batherStaffId) {
+          const conflicts = await tx
+            .select({ id: appointments.id })
+            .from(appointments)
+            .where(
+              and(
+                or(
+                  eq(appointments.staffId, apptFields.batherStaffId),
+                  eq(appointments.batherStaffId, apptFields.batherStaffId)
+                ),
+                lt(appointments.startTime, end),
+                gte(appointments.endTime, start),
+                ne(appointments.status, "cancelled"),
+                ne(appointments.status, "no_show"),
+              )
+            )
+            .limit(1);
+          if (conflicts.length > 0) {
+            throw Object.assign(new Error("conflict"), { statusCode: 409 });
+          }
+        }
+
        if (!recurrence) {
          // Single appointment
          const [inserted] = await tx
@@ -461,6 +484,34 @@ appointmentsRouter.patch(
            }
          }

+          // Check batherStaffId conflicts if being updated or already set
+          const batherStaffId =
+            updateFields.batherStaffId !== undefined
+              ? updateFields.batherStaffId
+              : current.batherStaffId;
+          if (batherStaffId) {
+            const conflicts = await tx
+              .select({ id: appointments.id })
+              .from(appointments)
+              .where(
+                and(
+                  or(
+                    eq(appointments.staffId, batherStaffId),
+                    eq(appointments.batherStaffId, batherStaffId)
+                  ),
+                  lt(appointments.startTime, end),
+                  gte(appointments.endTime, start),
+                  ne(appointments.status, "cancelled"),
+                  ne(appointments.status, "no_show"),
+                  ne(appointments.id, id),
+                )
+              )
+              .limit(1);
+            if (conflicts.length > 0) {
+              throw Object.assign(new Error("conflict"), { statusCode: 409 });
+            }
+          }
+
          const [updated] = await tx
            .update(appointments)
            .set(update)