cal.pub0.org/pages/api/memberships/[id]/_patch.ts

import type { Prisma } from "@prisma/client";
import type { NextApiRequest } from "next";

import { HttpError } from "@calcom/lib/http-error";
import { defaultResponder } from "@calcom/lib/server";

import {
  membershipEditBodySchema,
  membershipIdSchema,
  schemaMembershipPublic,
} from "@lib/validations/membership";

/**
 * @swagger
 * /memberships/{userId}_{teamId}:
 *   patch:
 *     summary: Edit an existing membership
 *     parameters:
 *      - in: path
 *        name: userId
 *        schema:
 *          type: integer
 *        required: true
 *        description: Numeric userId of the membership to get
 *      - in: path
 *        name: teamId
 *        schema:
 *          type: integer
 *        required: true
 *        description: Numeric teamId of the membership to get
 *     tags:
 *     - memberships
 *     responses:
 *       201:
 *         description: OK, membership edited successfully
 *       400:
 *        description: Bad request. Membership body is invalid.
 *       401:
 *        description: Authorization information is missing or invalid.
 */
export async function patchHandler(req: NextApiRequest) {
  const { prisma, query } = req;
  const userId_teamId = membershipIdSchema.parse(query);
  const data = membershipEditBodySchema.parse(req.body);
  const args: Prisma.MembershipUpdateArgs = { where: { userId_teamId }, data };

  await checkPermissions(req);

  const result = await prisma.membership.update(args);
  return { membership: schemaMembershipPublic.parse(result) };
}

async function checkPermissions(req: NextApiRequest) {
  const { userId, isAdmin, prisma } = req;
  const { userId: queryUserId, teamId } = membershipIdSchema.parse(req.query);
  const data = membershipEditBodySchema.parse(req.body);
  // Admins can just skip this check
  if (isAdmin) return;
  // Only the invited user can accept the invite
  if ("accepted" in data && queryUserId !== userId)
    throw new HttpError({ statusCode: 403, message: "Only the invited user can accept the invite" });
  // Only team OWNERS and ADMINS can modify `role`
  if ("role" in data) {
    const membership = await prisma.membership.findFirst({
      where: { userId, teamId, role: { in: ["ADMIN", "OWNER"] } },
    });
    if (!membership) throw new HttpError({ statusCode: 403, message: "Forbidden" });
  }
}

export default defaultResponder(patchHandler);
Refactor membership endpoints (#204) refs #175 Co-authored-by: Alex van Andel <me@alexvanandel.com> 2022-10-21 19:54:28 +00:00			`import type { Prisma } from "@prisma/client";`
			`import type { NextApiRequest } from "next";`

			`import { HttpError } from "@calcom/lib/http-error";`
			`import { defaultResponder } from "@calcom/lib/server";`

			`import {`
			`membershipEditBodySchema,`
			`membershipIdSchema,`
			`schemaMembershipPublic,`
			`} from "@lib/validations/membership";`

			`/**`
			`* @swagger`
			`* /memberships/{userId}_{teamId}:`
			`* patch:`
			`* summary: Edit an existing membership`
			`* parameters:`
			`* - in: path`
			`* name: userId`
			`* schema:`
			`* type: integer`
			`* required: true`
			`* description: Numeric userId of the membership to get`
			`* - in: path`
			`* name: teamId`
			`* schema:`
			`* type: integer`
			`* required: true`
			`* description: Numeric teamId of the membership to get`
			`* tags:`
			`* - memberships`
			`* responses:`
			`* 201:`
			`* description: OK, membership edited successfully`
			`* 400:`
			`* description: Bad request. Membership body is invalid.`
			`* 401:`
			`* description: Authorization information is missing or invalid.`
			`*/`
			`export async function patchHandler(req: NextApiRequest) {`
			`const { prisma, query } = req;`
			`const userId_teamId = membershipIdSchema.parse(query);`
			`const data = membershipEditBodySchema.parse(req.body);`
			`const args: Prisma.MembershipUpdateArgs = { where: { userId_teamId }, data };`

			`await checkPermissions(req);`

			`const result = await prisma.membership.update(args);`
			`return { membership: schemaMembershipPublic.parse(result) };`
			`}`

			`async function checkPermissions(req: NextApiRequest) {`
			`const { userId, isAdmin, prisma } = req;`
			`const { userId: queryUserId, teamId } = membershipIdSchema.parse(req.query);`
			`const data = membershipEditBodySchema.parse(req.body);`
			`// Admins can just skip this check`
			`if (isAdmin) return;`
			`// Only the invited user can accept the invite`
			`if ("accepted" in data && queryUserId !== userId)`
			`throw new HttpError({ statusCode: 403, message: "Only the invited user can accept the invite" });`
			// Only team OWNERS and ADMINS can modify `role`
			`if ("role" in data) {`
			`const membership = await prisma.membership.findFirst({`
			`where: { userId, teamId, role: { in: ["ADMIN", "OWNER"] } },`
			`});`
			`if (!membership) throw new HttpError({ statusCode: 403, message: "Forbidden" });`
			`}`
			`}`

			`export default defaultResponder(patchHandler);`