From 2ae11670deaa3df0edfa7fbe279a568a150ce80b Mon Sep 17 00:00:00 2001
From: Regalijan <r@regalijan.com>
Date: Tue, 2 Jun 2026 18:31:28 -0400
Subject: [PATCH] Enforce event booking limit server side

---
 functions/api/events-team/events/new.ts | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/functions/api/events-team/events/new.ts b/functions/api/events-team/events/new.ts
index a5e689a..4742aaf 100644
--- a/functions/api/events-team/events/new.ts
+++ b/functions/api/events-team/events/new.ts
@@ -21,8 +21,24 @@ export async function onRequestPost(context: RequestContext) {
   )
     return jsonError("Invalid body", 400);
 
+  const { prisma } = context.data;
+
   if (
-    await context.data.prisma.event.findFirst({
+    (await prisma.event.count({
+      where: {
+        created_by: context.data.current_user.id,
+        day: {
+          gte: now.getUTCDate(),
+        },
+        month: currentMonth,
+        year: currentYear,
+      },
+    })) > 3
+  )
+    return jsonError("Too many events scheduled", 403);
+
+  if (
+    await prisma.event.findFirst({
       select: {
         id: true,
       },
@@ -51,7 +67,7 @@ export async function onRequestPost(context: RequestContext) {
 
     const weekRange = Math.floor(day / 7);
 
-    const existingEventInRange = await context.data.prisma.event.findFirst({
+    const existingEventInRange = await prisma.event.findFirst({
       select: {
         id: true,
       },
@@ -73,7 +89,7 @@ export async function onRequestPost(context: RequestContext) {
 
   const id = `${now.getTime()}${crypto.randomUUID().replaceAll("-", "")}`;
 
-  await context.data.prisma.event.create({
+  await prisma.event.create({
     data: {
       answer: context.data.body.answer || null,
       approved: type === "gamenight",