From 36c31dcd6777095f8fec4819ba5d860943db8b47 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <andras.bacsai@gmail.com>
Date: Fri, 5 Apr 2024 16:48:06 +0200
Subject: [PATCH] Add role-based authorization for updating teams

---
 app/Models/Team.php | 8 +++++---
 app/Models/User.php | 4 ++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/app/Models/Team.php b/app/Models/Team.php
index a3dd4e473..e08ba7f5b 100644
--- a/app/Models/Team.php
+++ b/app/Models/Team.php
@@ -21,9 +21,11 @@ class Team extends Model implements SendsDiscord, SendsEmail
 
     protected static function booted()
     {
-        // static::saved(function () {
-        //     refreshSession();
-        // });
+        static::saving(function ($team) {
+            if (auth()->user()->isMember()) {
+                throw new \Exception('You are not allowed to update this team.');
+            }
+        });
     }
 
     public function routeNotificationForDiscord()
diff --git a/app/Models/User.php b/app/Models/User.php
index e2ecae56a..0fa8ead2f 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -127,6 +127,10 @@ class User extends Authenticatable implements SendsEmail
     {
         return $this->role() === 'owner';
     }
+    public function isMember()
+    {
+        return $this->role() === 'member';
+    }
     public function isAdminFromSession()
     {
         if (auth()->user()->id === 0) {