Volleyball Elite Academy development update

Volleyball Elite Academy Lock down rental edits so only admins can change facility bookings Lock down rental edits so only admins can change facility bookings Volleyball Elite Academy — Development Update • May 18, 2026 --- title: Lock down rental edits so only admins can change facility bookings --- Lock down rental edits so only admins can change facility bookings ## What & Why The endpoints for editing and deleting gym rentals (, ) currently accept any logged-in user — they only check and skip the SuperAdmin check used elsewhere. That means any signed-in account (including parents and athletes) could change a rental's times, court count, or status and silently break the scheduling capacity for real events. Now that courtCount drives capacity math, the blast radius of unauthorized edits is bigger. ## Done looks like - PATCH and DELETE on require SuperAdmin (matching ) - PATCH validates the full body with a Zod partial schema (start/end time format, status enum, courtCount ≥ 1, etc.) instead of forwarding raw - Route tests cover the unauthorized-user 403 case and the invalid-body 400 case ## Relevant files - (, ) - (insertGymRentalSchema — extend for an updateGymRentalSchema) - Volleyball Elite Academy Reply to this email — we read every reply. You received this because you have an account with Volleyball Elite Academy. elitevolleyball.training