Is your feature request related to a problem? Please describe
The PATCH /api/event-registrations/:id endpoint has no authorization check on cancellations, meaning any logged-in user could cancel anyone else's registration by setting registrationStatus to cancelled.
Describe the solution you'd like
Create a beforeChange hook at src/payload/hooks/eventRegistrations/handleCancellation.ts that intercepts updates and validates the cancellation before Payload saves the change.
Logic:
- Skip if the operation is not
update
- Skip if
data.registrationStatus is not 'cancelled'
- If no user is logged in, throw
"You must be logged in to cancel a registration"
- If the requesting user is not the owner of the registration and is not an admin, throw
"You are not allowed to cancel this registration"
- Otherwise, return
data and allow Payload to save the cancellation
Once this ticket and Ticket 4 are both merged, add handleCancellation to the beforeChange hooks array in EventRegistrations.ts alongside checkCapacity.
Describe alternatives you've considered
A custom Next.js route handler was considered but using a hook means the authorization check is enforced at the data layer — it applies whether the update comes from the REST API, the admin panel, or the Local API directly.
Additional context
Registrations should be soft-cancelled (status set to cancelled) and never hard-deleted, to preserve the audit trail and support future waitlist promotion logic.
Depends on the EventRegistrations collection (#10) and role-based access control (#8).
Ref: https://payloadcms.com/docs/hooks/collections
BEFORE MERGING
Is your feature request related to a problem? Please describe
The
PATCH /api/event-registrations/:idendpoint has no authorization check on cancellations, meaning any logged-in user could cancel anyone else's registration by settingregistrationStatustocancelled.Describe the solution you'd like
Create a
beforeChangehook atsrc/payload/hooks/eventRegistrations/handleCancellation.tsthat intercepts updates and validates the cancellation before Payload saves the change.Logic:
updatedata.registrationStatusis not'cancelled'"You must be logged in to cancel a registration""You are not allowed to cancel this registration"dataand allow Payload to save the cancellationOnce this ticket and Ticket 4 are both merged, add
handleCancellationto thebeforeChangehooks array inEventRegistrations.tsalongsidecheckCapacity.Describe alternatives you've considered
A custom Next.js route handler was considered but using a hook means the authorization check is enforced at the data layer — it applies whether the update comes from the REST API, the admin panel, or the Local API directly.
Additional context
Registrations should be soft-cancelled (status set to
cancelled) and never hard-deleted, to preserve the audit trail and support future waitlist promotion logic.Depends on the EventRegistrations collection (#10) and role-based access control (#8).
Ref: https://payloadcms.com/docs/hooks/collections
BEFORE MERGING
pnpm typegen)