From aa35ab42f254f5dd3ddcb8054f88183c3c846674 Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Sat, 17 Jan 2026 15:30:13 +0100
Subject: [PATCH] permissions for pinGroupPost

---
 .../src/middleware/permissionsMiddleware.ts   | 24 +++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/backend/src/middleware/permissionsMiddleware.ts b/backend/src/middleware/permissionsMiddleware.ts
index be592538f..5631b7747 100644
--- a/backend/src/middleware/permissionsMiddleware.ts
+++ b/backend/src/middleware/permissionsMiddleware.ts
@@ -397,6 +397,26 @@ const isAllowedToGenerateGroupInviteCode = rule({
   ).records[0].get('count')
 })
 
+const isAllowedToPinGroupPost = rule({
+  cache: 'no_cache',
+})(async (_parent, args, context: Context) => {
+  if (!context.user) return false
+
+  return (
+    (
+      await context.database.query({
+        query: `
+    MATCH (post:Post{id: $args.id})-[:IN]->(group:Group)
+    MATCH (user:User{id: $user.id})-[membership:MEMBER_OF]->(group)
+    WHERE (membership.role IN ['admin', 'owner'])
+    RETURN toString(count(group)) as count
+    `,
+        variables: { user: context.user, args },
+      })
+    ).records[0].get('count') === '1'
+  )
+})
+
 // Permissions
 export default shield(
   {
@@ -485,8 +505,8 @@ export default shield(
       VerifyEmailAddress: isAuthenticated,
       pinPost: isAdmin,
       unpinPost: isAdmin,
-      pinGroupPost: isAuthenticated, // TODO: permissions
-      unpinGroupPost: isAuthenticated, // TODO: permissions
+      pinGroupPost: isAllowedToPinGroupPost,
+      unpinGroupPost: isAllowedToPinGroupPost,
       pushPost: isAdmin,
       unpushPost: isAdmin,
       UpdateDonations: isAdmin,