npm - nodebb-plugin-onekite-calendar - Versions diffs - 2.0.64 → 2.0.66 - Mend

nodebb-plugin-onekite-calendar 2.0.64 → 2.0.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/lib/api.js CHANGED Viewed

@@ -2,12 +2,9 @@
 const crypto = require('crypto');
-const meta = require.main.require('./src/meta');
 const nconf = require.main.require('nconf');
 const user = require.main.require('./src/user');
 const groups = require.main.require('./src/groups');
-const db = require.main.require('./src/database');
-const logger = require.main.require('./src/logger');
 const dbLayer = require('./db');
 const { getSettings } = require('./settings');
@@ -251,25 +248,26 @@ async function canCreateSpecial(uid, settings) {
 }
+/**
+ * Determines if a user can join or leave special events as a participant.
+ *
+ * This permission is intentionally permissive: any authenticated user can participate
+ * in special events, regardless of group membership. This differs from creation/deletion
+ * permissions which remain restricted to specific groups.
+ *
+ * @param {number|string} uid - The user ID. Falsy values (0, null, undefined, '') indicate guest/unauthenticated users.
+ * @param {Object} settings - Plugin settings (unused but kept for API consistency with other permission functions).
+ * @returns {boolean} True if the user can join/leave special events (i.e., is authenticated).
+ *
+ * @since 1.0.0 Modified to allow all authenticated users (previously restricted to specific groups)
+ */
 async function canJoinSpecial(uid, settings) {
-  if (!uid) return false;
-  // Admins always allowed
-  try {
-    const isAdmin = await groups.isMember(uid, 'administrators');
-    if (isAdmin) return true;
-  } catch (e) {}
-  // Special-event creators can join/leave
-  if (await canCreateSpecial(uid, settings)) return true;
-  // Location creator groups can also participate (even if they can't create events)
-  const allowed = normalizeAllowedGroups(settings.creatorGroups || '');
-  if (!allowed.length) return false;
-  return userInAnyGroup(uid, allowed);
+  // Any authenticated user (non-zero uid) can participate in special events.
+  // The !! coercion converts truthy values to true, falsy to false.
+  return !!uid;
 }
 async function canDeleteSpecial(uid, settings) {
   if (!uid) return false;
   try {
@@ -767,13 +765,27 @@ api.getReservationDetails = async function (req, res) {
   return res.json(out);
 };
+/**
+ * Get detailed information about a special event.
+ *
+ * This endpoint is publicly accessible (no authentication required).
+ * Guests can view all event details including participants, but cannot join (canJoin will be false).
+ *
+ * @route GET /api/v3/plugins/calendar-onekite/special-events/:eid
+ * @param {Object} req - Express request object with req.params.eid and optionally req.uid
+ * @param {Object} res - Express response object
+ * @returns {Object} Event details including participants list, calendar export links, and permission flags
+ *
+ * @since 1.0.0 Modified to allow unauthenticated access (guests can view)
+ */
 api.getSpecialEventDetails = async function (req, res) {
   const uid = req.uid;
-  if (!uid) return res.status(401).json({ error: 'not-logged-in' });
+  // Guests (uid = null/undefined/0) can view event details but cannot join.
+  // Authenticated users get canJoin=true if they meet participation requirements.
   const settings = await getSettings();
-  const canMod = await canValidate(uid, settings);
-  const canSpecialDelete = await canDeleteSpecial(uid, settings);
+  const canMod = uid ? await canValidate(uid, settings) : false;
+  const canSpecialDelete = uid ? await canDeleteSpecial(uid, settings) : false;
   const eid = String(req.params.eid || '').trim();
   if (!eid) return res.status(400).json({ error: 'missing-eid' });
@@ -979,12 +991,26 @@ api.deleteSpecialEvent = async function (req, res) {
   res.json({ ok: true });
 };
+/**
+ * Get detailed information about an outing (prévision de sortie).
+ *
+ * This endpoint is publicly accessible (no authentication required).
+ * Guests can view all outing details including participants, but cannot join (canJoin will be false).
+ *
+ * @route GET /api/v3/plugins/calendar-onekite/outings/:oid
+ * @param {Object} req - Express request object with req.params.oid and optionally req.uid
+ * @param {Object} res - Express response object
+ * @returns {Object} Outing details including participants list, calendar export links, and permission flags
+ *
+ * @since 1.0.0 Modified to allow unauthenticated access (guests can view)
+ */
 api.getOutingDetails = async function (req, res) {
   const uid = req.uid;
-  if (!uid) return res.status(401).json({ error: 'not-logged-in' });
+  // Guests (uid = null/undefined/0) can view outing details but cannot join.
+  // Only authenticated users in authorized groups can join outings (canRequest).
   const settings = await getSettings();
-  const canMod = await canValidate(uid, settings);
+  const canMod = uid ? await canValidate(uid, settings) : false;
   const oid = String(req.params.oid || '').trim();
   if (!oid) return res.status(400).json({ error: 'missing-oid' });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-onekite-calendar",
-  "version": "2.0.64",
+  "version": "2.0.66",
   "description": "FullCalendar-based equipment reservation workflow with admin approval & HelloAsso payment for NodeBB",
   "main": "library.js",
   "license": "MIT",

package/plugin.json CHANGED Viewed

@@ -39,5 +39,5 @@
   "acpScripts": [
     "public/admin.js"
   ],
-  "version": "2.0.64"
+  "version": "2.0.66"
 }