🚀 Enhancement: Add 403 lockout for management pages (#284)

Strehk · web-flow · commit fb4ccc9e8acd · 2025-10-15T00:37:04.000+02:00
diff --git a/messages/de.json b/messages/de.json
@@ -438,6 +438,7 @@
 	"newsletters": "Newsletter",
 	"next": "Weiter",
 	"no": "Nein",
+	"noAccess": "Hier hast du keinen Zugriff",
 	"noAnswer": "Keine Antwort",
 	"noAnswerYet": "Noch nicht beantwortet",
 	"noCommittees": "Keine Gremien",
diff --git a/messages/en.json b/messages/en.json
@@ -438,6 +438,7 @@
 	"newsletters": "Newsletter",
 	"next": "Next",
 	"no": "No",
+	"noAccess": "You don't have access to this page.",
 	"noAnswer": "No Answer",
 	"noAnswerYet": "Not yet answered",
 	"noCommittees": "No Committees",
diff --git a/src/routes/(authenticated)/management/+layout.ts b/src/routes/(authenticated)/management/+layout.ts
@@ -1,6 +1,8 @@
 import { graphql } from '$houdini';
 import { allConferenceQuery } from '$lib/queries/allConferences';
-import type { PageLoad } from './$types';
+import { error } from '@sveltejs/kit';
+import type { LayoutLoad } from './$types';
+import { m } from '$lib/paraglide/messages';
 
 const conferencesWhereImMoreThanMember = graphql(`
 	query ConferencesWhereImMoreThanMember($myUserId: String!) {
@@ -28,7 +30,7 @@ const conferencesWhereImMoreThanMember = graphql(`
 	}
 `);
 
-export const load: PageLoad = async (event) => {
+export const load: LayoutLoad = async (event) => {
 	const { user } = await event.parent();
 
 	// we want the conferences to appear either if we are a privileged user on that conference or
@@ -53,6 +55,11 @@ export const load: PageLoad = async (event) => {
 		blocking: true
 	});
 	const queriedConfernces = data?.findManyConferences;
+
+	if (queriedConfernces.length === 0) {
+		error(403, m.noAccess());
+	}
+
 	return {
 		conferences: queriedConfernces?.map((c) => ({
 			id: c.id,
diff --git a/src/routes/(authenticated)/management/[conferenceId]/+layout.ts b/src/routes/(authenticated)/management/[conferenceId]/+layout.ts
@@ -1,6 +1,13 @@
+import { error } from '@sveltejs/kit';
 import type { LayoutLoad } from './$types';
+import { m } from '$lib/paraglide/messages';
 
 export const load: LayoutLoad = async (event) => {
+	const parentData = await event.parent();
+
+	if (!parentData.conferences.map((c) => c.id).includes(event.params.conferenceId))
+		error(403, m.noAccess());
+
 	return {
 		conferenceId: event.params.conferenceId
 	};
