cal.pub0.org/pages/api/memberships/_post.ts

54 lines
1.7 KiB
TypeScript
Raw Normal View History

import type { Prisma } from "@prisma/client";
import type { NextApiRequest } from "next";
import { HttpError } from "@calcom/lib/http-error";
import { defaultResponder } from "@calcom/lib/server";
import { membershipCreateBodySchema, schemaMembershipPublic } from "@lib/validations/membership";
/**
* @swagger
* /memberships:
* post:
* summary: Creates a new membership
* tags:
* - memberships
* responses:
* 201:
* description: OK, membership created
* 400:
* description: Bad request. Membership body is invalid.
* 401:
* description: Authorization information is missing or invalid.
*/
async function postHandler(req: NextApiRequest) {
const { prisma } = req;
const data = membershipCreateBodySchema.parse(req.body);
const args: Prisma.MembershipCreateArgs = { data };
await checkPermissions(req);
const result = await prisma.membership.create(args);
return {
membership: schemaMembershipPublic.parse(result),
message: "Membership created successfully",
};
}
async function checkPermissions(req: NextApiRequest) {
const { userId, isAdmin, prisma } = req;
if (isAdmin) return;
const body = membershipCreateBodySchema.parse(req.body);
// To prevent auto-accepted invites, limit it to ADMIN users
if (!isAdmin && "accepted" in body)
throw new HttpError({ statusCode: 403, message: "ADMIN needed for `accepted`" });
// Only team OWNERS and ADMINS can add other members
const membership = await prisma.membership.findFirst({
where: { userId, teamId: body.teamId, role: { in: ["ADMIN", "OWNER"] } },
});
if (!membership) throw new HttpError({ statusCode: 403, message: "You can't add members to this team" });
}
export default defaultResponder(postHandler);