refactor(timeline): extract requireWriteAll route guard

Both curator-event loaders repeated the same null-user + hasWriteAll block. hasWriteAll already returns false for an anonymous user, so a single requireWriteAll(locals) helper covers both REQ-002 (null user → 403) and REQ-003 (no WRITE_ALL → 403) without the redundant pre-check. Addresses PR #832 review (#781). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-13 23:21:37 +02:00
parent 068c2ef256
commit 9f17c4538f
3 changed files with 17 additions and 15 deletions
--- a/frontend/src/lib/shared/server/permissions.ts
+++ b/frontend/src/lib/shared/server/permissions.ts
@@ -1,3 +1,5 @@
+import { error } from '@sveltejs/kit';
+
 /**
 * Server-side permission predicates derived from the authenticated user in `locals`.
 *
@@ -12,3 +14,13 @@ type PermissionLocals = {
 export function hasWriteAll(locals: PermissionLocals): boolean {
 	return locals.user?.groups?.some((group) => group.permissions.includes('WRITE_ALL')) ?? false;
 }
+
+/**
+ * Throws a 403 unless the user holds WRITE_ALL. Anonymous users are rejected too
+ * — `hasWriteAll` returns false for a null user, so a single check covers both
+ * the unauthenticated and the under-privileged case. Server-side gate; the
+ * frontend canWrite flag only hides entry-point buttons.
+ */
+export function requireWriteAll(locals: PermissionLocals): void {
+	if (!hasWriteAll(locals)) throw error(403, 'Forbidden');
+}