fix(api): add admin authorization check to sponsor-ads routes (#423)

evereq · web-flow · commit a478d4d8d444 · 2025-12-21T11:03:12.000+01:00
- Add isAdmin validation to all sponsor-ads admin API handlers
  - Return 403 Forbidden for non-admin users
  - Align with authorization pattern used in other admin routes
diff --git a/app/api/admin/sponsor-ads/[id]/approve/route.ts b/app/api/admin/sponsor-ads/[id]/approve/route.ts
@@ -53,6 +53,13 @@ export async function POST(
 			);
 		}
 
+		if (!session.user.isAdmin) {
+			return NextResponse.json(
+				{ success: false, error: "Forbidden" },
+				{ status: 403 }
+			);
+		}
+
 		const { id } = await params;
 
 		// Parse request body for forceApprove flag
diff --git a/app/api/admin/sponsor-ads/[id]/cancel/route.ts b/app/api/admin/sponsor-ads/[id]/cancel/route.ts
@@ -68,6 +68,13 @@ export async function POST(
 			);
 		}
 
+		if (!session.user.isAdmin) {
+			return NextResponse.json(
+				{ success: false, error: "Forbidden" },
+				{ status: 403 }
+			);
+		}
+
 		const { id } = await params;
 		const body = await request.json().catch(() => ({}));
 
diff --git a/app/api/admin/sponsor-ads/[id]/reject/route.ts b/app/api/admin/sponsor-ads/[id]/reject/route.ts
@@ -72,6 +72,13 @@ export async function POST(
 			);
 		}
 
+		if (!session.user.isAdmin) {
+			return NextResponse.json(
+				{ success: false, error: "Forbidden" },
+				{ status: 403 }
+			);
+		}
+
 		const { id } = await params;
 		const body = await request.json();
 
diff --git a/app/api/admin/sponsor-ads/[id]/route.ts b/app/api/admin/sponsor-ads/[id]/route.ts
@@ -41,6 +41,13 @@ export async function GET(
 			);
 		}
 
+		if (!session.user.isAdmin) {
+			return NextResponse.json(
+				{ success: false, error: "Forbidden" },
+				{ status: 403 }
+			);
+		}
+
 		const { id } = await params;
 		const sponsorAd = await sponsorAdService.getSponsorAdWithUser(id);
 
@@ -103,6 +110,13 @@ export async function DELETE(
 			);
 		}
 
+		if (!session.user.isAdmin) {
+			return NextResponse.json(
+				{ success: false, error: "Forbidden" },
+				{ status: 403 }
+			);
+		}
+
 		const { id } = await params;
 
 		await sponsorAdService.deleteSponsorAd(id);
diff --git a/app/api/admin/sponsor-ads/route.ts b/app/api/admin/sponsor-ads/route.ts
@@ -70,6 +70,13 @@ export async function GET(request: NextRequest) {
 			);
 		}
 
+		if (!session.user.isAdmin) {
+			return NextResponse.json(
+				{ success: false, error: "Forbidden" },
+				{ status: 403 }
+			);
+		}
+
 		const { searchParams } = new URL(request.url);
 
 		// Validate pagination parameters
