From 116de5aead8ca6ad40622e5376f01325f14aad4b Mon Sep 17 00:00:00 2001
From: "s0wlz (Matthias Puchstein)" <matthias@puchstein.lu>
Date: Tue, 28 Apr 2026 03:49:30 +0200
Subject: [PATCH] fix(attendance): reject seat_id on room-less slots

---
 backend/src/routes/checkin.rs | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/backend/src/routes/checkin.rs b/backend/src/routes/checkin.rs
index 6bbba36..a0928ff 100644
--- a/backend/src/routes/checkin.rs
+++ b/backend/src/routes/checkin.rs
@@ -181,14 +181,15 @@ async fn post_checkin(
         return Err(AppError::Conflict("check-in not available".into()));
     }
 
-    // If room_id is set, seat_id is required
-    if slot.room_id.is_some() && req.seat_id.is_none() {
-        return Err(AppError::BadRequest("seat required".into()));
-    }
-
-    // Validate seat_id against room layout
-    if let Some(ref seat_id) = req.seat_id {
-        if let Some(room_id) = slot.room_id {
+    // seat_id / room_id cross-validation
+    match (slot.room_id, req.seat_id.as_ref()) {
+        (None, Some(_)) => {
+            return Err(AppError::BadRequest("seat_id provided but slot has no room".into()));
+        }
+        (Some(_), None) => {
+            return Err(AppError::BadRequest("seat required".into()));
+        }
+        (Some(room_id), Some(seat_id)) => {
             let room = sqlx::query_as::<_, Room>(
                 "SELECT id, name, layout_json FROM rooms WHERE id = ?",
             )
@@ -207,6 +208,7 @@ async fn post_checkin(
                 }
             }
         }
+        (None, None) => {}
     }
 
     // Cookie identity check