feat: another security sweep

api/src/app/services/suggestion.service.ts

@@ -4,6 +4,7 @@ import type {
   SuggestionStatus,
   SuggestionEntity,
   CreateSuggestionDto,
+  AcceptWithEditsDto,
 } from "@library/shared-types";
 import {
   GameStatus,
@@ -340,7 +341,7 @@ export const SuggestionService = {
     return mapSuggestion(updatedSuggestion);
   },
 
-  async acceptSuggestionWithEdits(id: string, editedData: any): Promise<Suggestion> {
+  async acceptSuggestionWithEdits(id: string, editedData: AcceptWithEditsDto): Promise<Suggestion> {
     const suggestion = await prisma.suggestion.findUnique({
       where: { id },
       include: { user: true },
@@ -453,4 +454,29 @@ export const SuggestionService = {
 
     return mapSuggestion(updatedSuggestion);
   },
+
+  async deleteSuggestion(id: string, userId: string, isAdmin: boolean): Promise<Suggestion> {
+    const suggestion = await prisma.suggestion.findUnique({
+      where: { id },
+      include: { user: true },
+    });
+
+    if (!suggestion) {
+      throw new Error("Suggestion not found");
+    }
+
+    if (!isAdmin && suggestion.userId !== userId) {
+      throw new Error("You can only delete your own suggestions");
+    }
+
+    if (suggestion.status !== "UNREVIEWED") {
+      throw new Error("Cannot delete a suggestion that has already been reviewed");
+    }
+
+    await prisma.suggestion.delete({
+      where: { id },
+    });
+
+    return mapSuggestion(suggestion);
+  },
 };