@stamhoofd/backend 2.78.2 → 2.78.4

package/src/endpoints/organization/dashboard/organization/PatchOrganizationEndpoint.test.ts

@@ -1,7 +1,6 @@
-import { AutoEncoderPatchType, PatchableArray } from '@simonbackx/simple-encoding';
 import { Request } from '@simonbackx/simple-endpoints';
-import { GroupFactory, OrganizationFactory, Token, UserFactory } from '@stamhoofd/models';
-import { Group, GroupGenderType, GroupPatch, GroupPrivateSettings, GroupSettings, GroupSettingsPatch, Organization, PermissionLevel, PermissionRole, PermissionRoleDetailed, Permissions, PermissionsResourceType, ResourcePermissions } from '@stamhoofd/structures';
+import { OrganizationFactory, Token, UserFactory } from '@stamhoofd/models';
+import { Organization, PermissionLevel, Permissions } from '@stamhoofd/structures';
 
 import { testServer } from '../../../../../tests/helpers/TestServer';
 import { PatchOrganizationEndpoint } from './PatchOrganizationEndpoint';
@@ -60,218 +59,4 @@ describe('Endpoint.PatchOrganization', () => {
 
         await expect(testServer.test(endpoint, r)).rejects.toThrow(/permissions/i);
     });
-
-    test('Change the name of a group with access', async () => {
-        const organization = await new OrganizationFactory({}).create();
-        const role = PermissionRoleDetailed.create({
-            name: 'Role',
-        });
-        organization.privateMeta.roles.push(
-            role,
-        );
-        const groups = await new GroupFactory({ organization }).createMultiple(2);
-
-        role.resources.set(PermissionsResourceType.Groups, new Map());
-        role.resources.get(PermissionsResourceType.Groups)!.set(groups[0].id, ResourcePermissions.create({
-            level: PermissionLevel.Full,
-        }));
-
-        await organization.save();
-
-        const validPermissions = [
-            Permissions.create({
-                level: PermissionLevel.None,
-                roles: [PermissionRole.create(role)],
-            }),
-            Permissions.create({
-                level: PermissionLevel.Full,
-            }),
-        ];
-
-        for (const permission of validPermissions) {
-            const user = await new UserFactory({ organization,
-                permissions: permission,
-            }).create();
-            const token = await Token.createToken(user);
-
-            const changes = new PatchableArray<string, Group, AutoEncoderPatchType<Group>>();
-            changes.addPatch(GroupPatch.create({
-                id: groups[0].id,
-                settings: GroupSettingsPatch.create({
-                    name: 'My crazy group name',
-                }),
-            }));
-
-            const r = Request.buildJson('PATCH', '/organization', organization.getApiHost(), {
-                id: organization.id,
-                groups: changes.encode({ version: 2 }),
-            });
-            r.headers.authorization = 'Bearer ' + token.accessToken;
-
-            const response = await testServer.test(endpoint, r);
-            expect(response.body).toBeDefined();
-
-            if (!(response.body instanceof Organization)) {
-                throw new Error('Expected Organization');
-            }
-
-            expect(response.body.id).toEqual(organization.id);
-            expect(response.body.groups.find(g => g.id == groups[0].id)!.settings.name).toEqual('My crazy group name');
-        }
-    });
-
-    test("Can't change name of group without access", async () => {
-        const organization = await new OrganizationFactory({}).create();
-        const role = PermissionRoleDetailed.create({
-            name: 'Role',
-        });
-        const role2 = PermissionRoleDetailed.create({
-            name: 'Role2',
-        });
-        organization.privateMeta.roles.push(
-            role,
-            role2,
-        );
-        await organization.save();
-        const groups = await new GroupFactory({ organization }).createMultiple(2);
-
-        groups[0].privateSettings.permissions.write.push(PermissionRole.create(role));
-        await groups[0].save();
-
-        groups[0].privateSettings.permissions.read.push(PermissionRole.create(role2));
-        await groups[0].save();
-
-        const invalidPermissions = [
-            Permissions.create({
-                level: PermissionLevel.Read,
-                roles: [PermissionRole.create(role)],
-            }),
-            Permissions.create({
-                level: PermissionLevel.None,
-                roles: [PermissionRole.create(role2)],
-            }),
-            Permissions.create({
-                level: PermissionLevel.Write,
-                roles: [PermissionRole.create(role2), PermissionRole.create(role)],
-            }),
-            Permissions.create({
-                level: PermissionLevel.Write,
-            }),
-            Permissions.create({
-                level: PermissionLevel.Read,
-            }),
-            null,
-        ];
-
-        for (const permission of invalidPermissions) {
-            const user = await new UserFactory({
-                organization,
-                permissions: permission,
-            }).create();
-            const token = await Token.createToken(user);
-
-            const changes = new PatchableArray<string, Group, AutoEncoderPatchType<Group>>();
-            changes.addPatch(GroupPatch.create({
-                id: groups[0].id,
-                settings: GroupSettingsPatch.create({
-                    name: 'My crazy group name',
-                }),
-            }));
-            const r = Request.buildJson('PATCH', '/organization', organization.getApiHost(), {
-                id: organization.id,
-                groups: changes.encode({ version: 2 }),
-            });
-            r.headers.authorization = 'Bearer ' + token.accessToken;
-            await expect(testServer.test(endpoint, r)).rejects.toThrow(/permissions/i);
-        }
-    });
-
-    test('Create a group with access', async () => {
-        const organization = await new OrganizationFactory({}).create();
-        const groups = await new GroupFactory({ organization }).createMultiple(2);
-
-        const validPermissions = [
-            Permissions.create({
-                level: PermissionLevel.Full,
-            }),
-        ];
-
-        const invalidPermissions = [
-            Permissions.create({
-                level: PermissionLevel.Write,
-            }),
-        ];
-
-        for (const permission of validPermissions) {
-            const user = await new UserFactory({
-                organization,
-                permissions: permission,
-            }).create();
-            const token = await Token.createToken(user);
-
-            const changes = new PatchableArray<string, Group, AutoEncoderPatchType<Group>>();
-            const put = Group.create({
-                cycle: 0,
-                organizationId: organization.id,
-                periodId: organization.periodId,
-                settings: GroupSettings.create({
-                    name: 'My crazy group name',
-                    startDate: new Date(),
-                    endDate: new Date(),
-                    registrationStartDate: new Date(),
-                    registrationEndDate: new Date(),
-                    genderType: GroupGenderType.Mixed,
-                }),
-                privateSettings: GroupPrivateSettings.create({}),
-            });
-            changes.addPut(put);
-
-            const r = Request.buildJson('PATCH', '/v140/organization', organization.getApiHost(), {
-                id: organization.id,
-                groups: changes.encode({ version: 140 }),
-            });
-            r.headers.authorization = 'Bearer ' + token.accessToken;
-
-            const response = await testServer.test(endpoint, r);
-            expect(response.body).toBeDefined();
-
-            if (!(response.body instanceof Organization)) {
-                throw new Error('Expected Organization');
-            }
-
-            expect(response.body.id).toEqual(organization.id);
-            expect(response.body.groups.map(g => g.id)).toContainEqual(put.id);
-        }
-
-        for (const permission of invalidPermissions) {
-            const user = await new UserFactory({
-                organization,
-                permissions: permission,
-            }).create();
-            const token = await Token.createToken(user);
-
-            const changes = new PatchableArray<string, Group, AutoEncoderPatchType<Group>>();
-            const put = Group.create({
-                cycle: 0,
-                organizationId: organization.id,
-                periodId: organization.periodId,
-                settings: GroupSettings.create({
-                    name: 'My crazy group name',
-                    startDate: new Date(),
-                    endDate: new Date(),
-                    registrationStartDate: new Date(),
-                    registrationEndDate: new Date(),
-                    genderType: GroupGenderType.Mixed,
-                }),
-            });
-            changes.addPut(put);
-
-            const r = Request.buildJson('PATCH', '/v2/organization', organization.getApiHost(), {
-                id: organization.id,
-                groups: changes.encode({ version: 2 }),
-            });
-            r.headers.authorization = 'Bearer ' + token.accessToken;
-            await expect(testServer.test(endpoint, r)).rejects.toThrow(/permissions/i);
-        }
-    });
 });

package/src/endpoints/organization/dashboard/payments/PatchBalanceItemsEndpoint.ts

@@ -250,7 +250,7 @@ export class PatchBalanceItemsEndpoint extends Endpoint<Params, Query, Body, Res
         if (!member || !(await Context.auth.canLinkBalanceItemToMember(member))) {
             throw new SimpleError({
                 code: 'permission_denied',
-                message: 'No permission to link balanace items to this member',
+                message: 'No permission to link balance items to this member',
                 human: 'Je hebt geen toegang om aanrekeningen te maken verbonden met dit lid',
                 field: 'memberId',
             });
@@ -264,7 +264,7 @@ export class PatchBalanceItemsEndpoint extends Endpoint<Params, Query, Body, Res
         if (!user || !await Context.auth.canLinkBalanceItemToUser(balanceItem, user)) {
             throw new SimpleError({
                 code: 'permission_denied',
-                message: 'No permission to link balanace items to this user',
+                message: 'No permission to link balance items to this user',
                 human: 'Je hebt geen toegang om aanrekeningen te maken verbonden met deze gebruiker',
                 field: 'userId',
             });

package/src/endpoints/organization/dashboard/webshops/PatchWebshopOrdersEndpoint.ts

@@ -137,7 +137,7 @@ export class PatchWebshopOrdersEndpoint extends Endpoint<Params, Query, Body, Re
                     await order.updateStock(null, true);
                     const totalPrice = order.data.totalPrice;
 
-                    if (totalPrice == 0) {
+                    if (totalPrice === 0) {
                         // Force unknown payment method
                         order.data.paymentMethod = PaymentMethod.Unknown;
 
@@ -161,6 +161,9 @@ export class PatchWebshopOrdersEndpoint extends Endpoint<Params, Query, Body, Re
                         order.paymentId = payment.id;
                         order.setRelation(Order.payment, payment);
 
+                        // Save order because we need the id
+                        await order.save();
+
                         // Create balance item
                         const balanceItem = new BalanceItem();
                         balanceItem.orderId = order.id;
@@ -189,12 +192,12 @@ export class PatchWebshopOrdersEndpoint extends Endpoint<Params, Query, Body, Re
                         balanceItemPayment.price = balanceItem.price;
                         await balanceItemPayment.save();
 
-                        if (payment.method == PaymentMethod.Transfer) {
+                        if (payment.method === PaymentMethod.Transfer) {
                             await order.markValid(payment, []);
                             await payment.save();
                             await order.save();
                         }
-                        else if (payment.method == PaymentMethod.PointOfSale) {
+                        else if (payment.method === PaymentMethod.PointOfSale) {
                             // Not really paid, but needed to create the tickets if needed
                             await order.markPaid(payment, organization, webshop);
                             await payment.save();

package/src/endpoints/organization/shared/auth/GetOrganizationEndpoint.test.ts

@@ -1,5 +1,5 @@
 import { Request } from '@simonbackx/simple-endpoints';
-import { GroupFactory, OrganizationFactory, Token, UserFactory } from '@stamhoofd/models';
+import { OrganizationFactory, Token, UserFactory } from '@stamhoofd/models';
 import { Organization, PermissionLevel, Permissions } from '@stamhoofd/structures';
 
 import { testServer } from '../../../../../tests/helpers/TestServer';
@@ -12,7 +12,6 @@ describe('Endpoint.GetOrganization', () => {
     test('Get organization as signed in user', async () => {
         const organization = await new OrganizationFactory({}).create();
         const user = await new UserFactory({ organization }).create();
-        const groups = await new GroupFactory({ organization }).createMultiple(2);
         const token = await Token.createToken(user);
 
         const r = Request.buildJson('GET', '/v3/organization', organization.getApiHost());
@@ -26,7 +25,6 @@ describe('Endpoint.GetOrganization', () => {
         }
 
         expect(response.body.id).toEqual(organization.id);
-        expect(response.body.groups.map(g => g.id).sort()).toEqual(groups.map(g => g.id).sort());
         expect(response.body.privateMeta).toEqual(null);
     });
 
@@ -39,7 +37,6 @@ describe('Endpoint.GetOrganization', () => {
             }),
         }).create();
 
-        const groups = await new GroupFactory({ organization }).createMultiple(2);
         const token = await Token.createToken(user);
 
         const r = Request.buildJson('GET', '/v3/organization', organization.getApiHost());
@@ -53,7 +50,6 @@ describe('Endpoint.GetOrganization', () => {
         }
 
         expect(response.body.id).toEqual(organization.id);
-        expect(response.body.groups.map(g => g.id).sort()).toEqual(groups.map(g => g.id).sort());
         expect(response.body.privateMeta).not.toEqual(null);
     });
 
@@ -72,6 +68,8 @@ describe('Endpoint.GetOrganization', () => {
         const r = Request.buildJson('GET', '/v3/organization', organization.getApiHost());
         r.headers.authorization = 'Bearer ' + token.accessToken;
 
-        await expect(testServer.test(endpoint, r)).rejects.toThrow('The access token is invalid');
+        const response = await testServer.test(endpoint, r);
+        expect(response.body).toBeDefined();
+        expect(response.body.privateMeta).toEqual(null);
     });
 });

package/src/endpoints/organization/webshops/GetWebshopEndpoint.test.ts

@@ -105,25 +105,7 @@ describe('Endpoint.GetWebshop', () => {
         const r = Request.buildJson('GET', '/v244/webshop/' + webshop.id, organization.getApiHost());
         r.headers.authorization = 'Bearer ' + token.accessToken;
 
-        await expect(testServer.test(endpoint, r)).rejects.toThrow('The access token is invalid');
-    });
-
-    test('If organization scope is missing in v243, access is still checked correctly', async () => {
-        const organization = await new OrganizationFactory({}).create();
-        const organization2 = await new OrganizationFactory({}).create();
-        const user = await new UserFactory({
-            organization: organization2,
-            permissions: Permissions.create({
-                level: PermissionLevel.Full,
-            }),
-        }).create();
-
-        const token = await Token.createToken(user);
-        const webshop = await new WebshopFactory({ organizationId: organization.id }).create();
-
-        const r = Request.buildJson('GET', '/v243/webshop/' + webshop.id);
-        r.headers.authorization = 'Bearer ' + token.accessToken;
-
-        await expect(testServer.test(endpoint, r)).rejects.toThrow('The access token is invalid');
+        const response = await testServer.test(endpoint, r);
+        expect((response.body as any).privateMeta).toBeUndefined();
     });
 });

package/src/helpers/AdminPermissionChecker.ts

@@ -1,9 +1,10 @@
 import { AutoEncoderPatchType, PatchMap } from '@simonbackx/simple-encoding';
 import { isSimpleError, isSimpleErrors, SimpleError } from '@simonbackx/simple-errors';
 import { BalanceItem, CachedBalance, Document, EmailTemplate, Event, EventNotification, Group, Member, MemberPlatformMembership, MemberWithRegistrations, Order, Organization, OrganizationRegistrationPeriod, Payment, Registration, User, Webshop } from '@stamhoofd/models';
-import { AccessRight, EventPermissionChecker, FinancialSupportSettings, GroupCategory, GroupStatus, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordCategory } from '@stamhoofd/structures';
+import { AccessRight, EventPermissionChecker, FinancialSupportSettings, GroupCategory, GroupStatus, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordCategory, RecordSettings } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 import { addTemporaryMemberAccess, hasTemporaryMemberAccess } from './TemporaryMemberAccess';
+import { MemberRecordStore } from '../services/MemberRecordStore';
 
 /**
  * One class with all the responsabilities of checking permissions to each resource in the system by a given user, possibly in an organization context.
@@ -90,6 +91,10 @@ export class AdminPermissionChecker {
         });
     }
 
+    memberNotFoundOrNoAccess(): SimpleError {
+        return this.notFoundOrNoAccess($t('Je hebt geen toegang tot dit lid of het bestaat niet'));
+    }
+
     notFoundOrNoAccess(message?: string): SimpleError {
         return new SimpleError({
             code: 'not_found',
@@ -853,80 +858,6 @@ export class AdminPermissionChecker {
         return !!member.users.find(u => u.id === this.user.id);
     }
 
-    /**
-     * Return a list of RecordSettings the current user can view or edit
-     */
-    async getAccessibleRecordCategories(member: MemberWithRegistrations, level: PermissionLevel = PermissionLevel.Read): Promise<RecordCategory[]> {
-        // First list all organizations this member is part of
-        const organizations: Organization[] = [];
-
-        if (member.organizationId) {
-            if (this.checkScope(member.organizationId)) {
-                organizations.push(await this.getOrganization(member.organizationId));
-            }
-        }
-
-        for (const registration of member.registrations) {
-            if (this.checkScope(registration.organizationId)) {
-                if (!organizations.find(o => o.id === registration.organizationId)) {
-                    organizations.push(await this.getOrganization(registration.organizationId));
-                }
-            }
-        }
-
-        // Loop all organizations.
-        // Check if we have access to their data
-        const recordCategories: RecordCategory[] = [];
-        for (const organization of organizations) {
-            const permissions = await this.getOrganizationPermissions(organization);
-
-            if (!permissions) {
-                continue;
-            }
-
-            // Now add all records of this organization
-            for (const category of organization.meta.recordsConfiguration.recordCategories) {
-                if (recordCategories.find(c => c.id === category.id)) {
-                    // Already added
-                    continue;
-                }
-
-                if (permissions.hasResourceAccess(PermissionsResourceType.RecordCategories, category.id, level)) {
-                    recordCategories.push(category);
-                }
-            }
-
-            // Platform ones where we have been given permissions for in this organization
-            for (const category of this.platform.config.recordsConfiguration.recordCategories) {
-                if (recordCategories.find(c => c.id === category.id)) {
-                    // Already added
-                    continue;
-                }
-
-                if (permissions.hasResourceAccess(PermissionsResourceType.RecordCategories, category.id, level)) {
-                    recordCategories.push(category);
-                }
-            }
-        }
-
-        // Platform data
-        const platformPermissions = this.platformPermissions;
-        if (platformPermissions) {
-            for (const category of this.platform.config.recordsConfiguration.recordCategories) {
-                if (recordCategories.find(c => c.id === category.id)) {
-                    // Already added
-                    continue;
-                }
-
-                if (platformPermissions?.hasResourceAccess(PermissionsResourceType.RecordCategories, category.id, level)) {
-                    recordCategories.push(category);
-                }
-            }
-        }
-
-        return recordCategories;
-    }
-
     /**
      * Return a list of RecordSettings the current user can view or edit
      */
@@ -1053,56 +984,87 @@ export class AdminPermissionChecker {
         return false;
     }
 
-    /**
-     * Return a list of RecordSettings the current user can view or edit
-     */
-    async getAccessibleRecordSet(member: MemberWithRegistrations, level: PermissionLevel = PermissionLevel.Read): Promise<Set<string>> {
-        const categories = await this.getAccessibleRecordCategories(member, level);
-        const set = new Set<string>();
+    async checkRecordAccess(member: MemberWithRegistrations, recordId: string, level: PermissionLevel = PermissionLevel.Read): Promise<{ canAccess: false; record: RecordSettings | null } | { canAccess: true; record: RecordSettings }> {
+        const record = await MemberRecordStore.getRecord(recordId);
+        if (!record) {
+            return {
+                canAccess: false,
+                record: null,
+            };
+        }
 
-        for (const category of categories) {
-            for (const record of category.getAllRecords()) {
-                set.add(record.id);
-            }
+        if (!this.checkScope(record.organizationId)) {
+            return {
+                canAccess: false,
+                record: record.record,
+            };
         }
 
         const isUserManager = this.isUserManager(member);
-
-        // Also include those we can access as user manager
         if (isUserManager) {
-            const allCategories = this.platform.config.recordsConfiguration.recordCategories.slice();
+            if (record.record.checkPermissionForUserManager(level)) {
+                return {
+                    canAccess: true,
+                    record: record.record,
+                };
+            }
+        }
 
-            // First list all organizations this member is part of
-            const organizations: Organization[] = [];
+        if (!this.user.permissions) {
+            return {
+                canAccess: false,
+                record: record.record,
+            };
+        }
 
-            if (member.organizationId) {
-                if (this.checkScope(member.organizationId)) {
-                    organizations.push(await this.getOrganization(member.organizationId));
-                }
+        if (record.organizationId) {
+            const organizationPermissions = await this.getOrganizationPermissions(record.organizationId);
+            if (organizationPermissions && organizationPermissions.hasResourceAccess(PermissionsResourceType.RecordCategories, record.rootCategoryId, level)) {
+                return {
+                    canAccess: true,
+                    record: record.record,
+                };
             }
-
-            for (const registration of member.registrations) {
-                if (this.checkScope(registration.organizationId)) {
-                    if (!organizations.find(o => o.id === registration.organizationId)) {
-                        organizations.push(await this.getOrganization(registration.organizationId));
-                    }
+        }
+        else {
+            // 1. Check all organizations (they can give permissions)
+            for (const organizationId of this.user.permissions.organizationPermissions.keys()) {
+                const organizationPermissions = await this.getOrganizationPermissions(organizationId);
+                if (organizationPermissions && organizationPermissions.hasResourceAccess(PermissionsResourceType.RecordCategories, record.rootCategoryId, level)) {
+                    return {
+                        canAccess: true,
+                        record: record.record,
+                    };
                 }
             }
+        }
 
-            for (const organization of organizations) {
-                allCategories.push(...organization.meta.recordsConfiguration.recordCategories);
-            }
+        // 2. Check platform permissions
+        if (this.platformPermissions?.hasResourceAccess(PermissionsResourceType.RecordCategories, record.rootCategoryId, level)) {
+            return {
+                canAccess: true,
+                record: record.record,
+            };
+        }
 
-            for (const category of allCategories) {
-                for (const record of category.getAllRecords()) {
-                    if (record.checkPermissionForUserManager(level)) {
-                        set.add(record.id);
-                    }
+        // It is possible that this is a platform admin, and inherits automatic permissions for tags. So'll need to loop all the organizations where this member has an active registration for
+        if (!record.organizationId && this.platformPermissions) {
+            const organizations = Formatter.uniqueArray(member.registrations.map(r => r.organizationId));
+            for (const organizationId of organizations) {
+                const organizationPermissions = await this.getOrganizationPermissions(organizationId);
+                if (organizationPermissions && organizationPermissions.hasResourceAccess(PermissionsResourceType.RecordCategories, record.rootCategoryId, level)) {
+                    return {
+                        canAccess: true,
+                        record: record.record,
+                    };
                 }
             }
         }
 
-        return set;
+        return {
+            canAccess: false,
+            record: record.record,
+        };
     }
 
     async getAccessibleGroups(organizationId: string, level: PermissionLevel = PermissionLevel.Read): Promise<string[] | 'all'> {
@@ -1125,22 +1087,27 @@ export class AdminPermissionChecker {
      * Changes data inline
      */
     async filterMemberData(member: MemberWithRegistrations, data: MemberWithRegistrationsBlob): Promise<MemberWithRegistrationsBlob> {
-        const records = await this.getAccessibleRecordSet(member, PermissionLevel.Read);
-
         const cloned = data.clone();
 
         for (const [key, value] of cloned.details.recordAnswers.entries()) {
-            if (!records.has(value.settings.id)) {
+            const { canAccess, record } = await this.checkRecordAccess(member, key, PermissionLevel.Read);
+            if (!canAccess) {
                 cloned.details.recordAnswers.delete(key);
             }
+            else {
+                if (value) {
+                    // Force update
+                    value.settings = record;
+                }
+            }
         }
 
         const isUserManager = this.isUserManager(member);
         if (isUserManager) {
             // For a user manager without an organization, we don't delete data, because when registering a new member, it doesn't have any organizations yet...
             if (!(await this.canAccessMember(member, PermissionLevel.Full))) {
-                cloned.details.securityCode = null;
                 cloned.details.notes = null;
+                // a user manager can see the security codes
             }
 
             return cloned;
@@ -1227,39 +1194,20 @@ export class AdminPermissionChecker {
                 });
             }
 
-            const records = await this.getAccessibleRecordSet(member, PermissionLevel.Write);
-
             for (const [key, value] of data.details.recordAnswers.entries()) {
-                let name: string | undefined = undefined;
-                if (value) {
-                    if (value.isPatch()) {
-                        throw new SimpleError({
-                            code: 'invalid_request',
-                            message: 'Cannot PATCH a record answer object',
-                            statusCode: 400,
-                        });
-                    }
-
-                    const id = value.settings.id;
-
-                    if (id !== key) {
-                        throw new SimpleError({
-                            code: 'invalid_request',
-                            message: 'Record answer key does not match record id',
-                            statusCode: 400,
-                        });
-                    }
-
-                    name = value.settings.name;
-                }
-
-                if (!records.has(key)) {
+                const { canAccess, record } = await this.checkRecordAccess(member, key, PermissionLevel.Write);
+                if (!canAccess) {
                     throw new SimpleError({
                         code: 'permission_denied',
-                        message: `Je hebt geen toegangsrechten om het antwoord op ${name ?? 'deze vraag'} aan te passen voor dit lid`,
+                        message: `Je hebt geen toegangsrechten om het antwoord op ${record?.name ?? 'deze vraag'} aan te passen voor dit lid`,
                         statusCode: 400,
                     });
                 }
+
+                // Force set the value settings
+                if (value) {
+                    value.settings = record;
+                }
             }
         }