From 52f9da5c0dfec289fe51ad26e3c0a5e391078854 Mon Sep 17 00:00:00 2001
From: Moriz Wahl <moriz.wahl@gmx.de>
Date: Wed, 18 Jan 2023 15:06:18 +0100
Subject: [PATCH] fix(backend): admin cannot delete confirmed contribution

---
 .../resolver/ContributionResolver.test.ts     | 52 ++++++++++++++++++-
 .../graphql/resolver/ContributionResolver.ts  |  4 ++
 2 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/backend/src/graphql/resolver/ContributionResolver.test.ts b/backend/src/graphql/resolver/ContributionResolver.test.ts
index 9a7fb76f2..abae8e446 100644
--- a/backend/src/graphql/resolver/ContributionResolver.test.ts
+++ b/backend/src/graphql/resolver/ContributionResolver.test.ts
@@ -3,6 +3,7 @@
 
 import Decimal from 'decimal.js-light'
 import { bibiBloxberg } from '@/seeds/users/bibi-bloxberg'
+import { bobBaumeister } from '@/seeds/users/bob-baumeister'
 import { stephenHawking } from '@/seeds/users/stephen-hawking'
 import { garrickOllivander } from '@/seeds/users/garrick-ollivander'
 import {
@@ -26,7 +27,13 @@ import {
   sendContributionConfirmedEmail,
   // sendContributionRejectedEmail,
 } from '@/emails/sendEmailVariants'
-import { cleanDB, resetToken, testEnvironment, contributionDateFormatter } from '@test/helpers'
+import {
+  cleanDB,
+  resetToken,
+  testEnvironment,
+  contributionDateFormatter,
+  resetEntity,
+} from '@test/helpers'
 import { GraphQLError } from 'graphql'
 import { userFactory } from '@/seeds/factory/user'
 import { creationFactory } from '@/seeds/factory/creation'
@@ -1818,6 +1825,49 @@ describe('ContributionResolver', () => {
               )
             })
           })
+
+          describe('creation already confirmed', () => {
+            it('throws an error', async () => {
+              await userFactory(testEnv, bobBaumeister)
+              await query({
+                query: login,
+                variables: { email: 'bob@baumeister.de', password: 'Aa12345_' },
+              })
+              const {
+                data: { createContribution: confirmedContribution },
+              } = await mutate({
+                mutation: createContribution,
+                variables: {
+                  amount: 100.0,
+                  memo: 'Confirmed Contribution',
+                  creationDate: contributionDateFormatter(new Date()),
+                },
+              })
+              await query({
+                query: login,
+                variables: { email: 'peter@lustig.de', password: 'Aa12345_' },
+              })
+              await mutate({
+                mutation: confirmContribution,
+                variables: {
+                  id: confirmedContribution.id ? confirmedContribution.id : -1,
+                },
+              })
+              await expect(
+                mutate({
+                  mutation: adminDeleteContribution,
+                  variables: {
+                    id: confirmedContribution.id ? confirmedContribution.id : -1,
+                  },
+                }),
+              ).resolves.toEqual(
+                expect.objectContaining({
+                  errors: [new GraphQLError('A confirmed contribution can not be deleted')],
+                }),
+              )
+              await resetEntity(DbTransaction)
+            })
+          })
         })
 
         describe('confirmContribution', () => {
diff --git a/backend/src/graphql/resolver/ContributionResolver.ts b/backend/src/graphql/resolver/ContributionResolver.ts
index afa786f38..a71e4767e 100644
--- a/backend/src/graphql/resolver/ContributionResolver.ts
+++ b/backend/src/graphql/resolver/ContributionResolver.ts
@@ -512,6 +512,10 @@ export class ContributionResolver {
       logger.error(`Contribution not found for given id: ${id}`)
       throw new Error('Contribution not found for given id.')
     }
+    if (contribution.confirmedAt) {
+      logger.error('A confirmed contribution can not be deleted')
+      throw new Error('A confirmed contribution can not be deleted')
+    }
     const moderator = getUser(context)
     if (
       contribution.contributionType === ContributionType.USER &&