cal.pub0.org/pages/api/schedules/[id]/_patch.ts

import type { NextApiRequest } from "next";
import { z } from "zod";

import { HttpError } from "@calcom/lib/http-error";
import { defaultResponder } from "@calcom/lib/server";

import { schemaSchedulePublic, schemaSingleScheduleBodyParams } from "~/lib/validations/schedule";
import { schemaQueryIdParseInt } from "~/lib/validations/shared/queryIdTransformParseInt";

/**
 * @swagger
 * /schedules/{id}:
 *   patch:
 *     operationId: editScheduleById
 *     summary: Edit an existing schedule
 *     parameters:
 *      - in: path
 *        name: id
 *        schema:
 *          type: integer
 *        required: true
 *        description: ID of the schedule to edit
 *     tags:
 *     - schedules
 *     responses:
 *       201:
 *         description: OK, schedule edited successfully
 *       400:
 *        description: Bad request. Schedule body is invalid.
 *       401:
 *        description: Authorization information is missing or invalid.
 */
export async function patchHandler(req: NextApiRequest) {
  const { prisma, query } = req;
  const { id } = schemaQueryIdParseInt.parse(query);
  const data = schemaSingleScheduleBodyParams.parse(req.body);
  await checkPermissions(req, data);
  const result = await prisma.schedule.update({ where: { id }, data, include: { availability: true } });
  return { schedule: schemaSchedulePublic.parse(result) };
}

async function checkPermissions(req: NextApiRequest, body: z.infer<typeof schemaSingleScheduleBodyParams>) {
  const { isAdmin } = req;
  if (isAdmin) return;
  if (body.userId) {
    throw new HttpError({ statusCode: 403, message: "Non admin cannot change the owner of a schedule" });
  }
  //_auth-middleware takes care of verifying the ownership of schedule.
}

export default defaultResponder(patchHandler);
Refactor schedule endpoints (#185) 2022-10-13 20:54:38 +00:00			`import type { NextApiRequest } from "next";`
Security Fixes (#224) Fixes - 2,3,4 security vulnerabilities reported in this message. https://calendso.slack.com/archives/C03127U5S5Q/p1671922033089329 More Fixes - Dont't allow a user to add a random attendee to a booking not owned by him - Don't allow a user to add a random cal user as an organizer of the booking. - Membership deletion should be as per the Privileges of Owner,Admin,Member 2023-01-04 22:17:47 +00:00			`import { z } from "zod";`
Refactor schedule endpoints (#185) 2022-10-13 20:54:38 +00:00
Security Fixes (#224) Fixes - 2,3,4 security vulnerabilities reported in this message. https://calendso.slack.com/archives/C03127U5S5Q/p1671922033089329 More Fixes - Dont't allow a user to add a random attendee to a booking not owned by him - Don't allow a user to add a random cal user as an organizer of the booking. - Membership deletion should be as per the Privileges of Owner,Admin,Member 2023-01-04 22:17:47 +00:00			`import { HttpError } from "@calcom/lib/http-error";`
Refactor schedule endpoints (#185) 2022-10-13 20:54:38 +00:00			`import { defaultResponder } from "@calcom/lib/server";`

Various import and type fixes 2022-11-25 13:56:58 +00:00			`import { schemaSchedulePublic, schemaSingleScheduleBodyParams } from "~/lib/validations/schedule";`
			`import { schemaQueryIdParseInt } from "~/lib/validations/shared/queryIdTransformParseInt";`
Refactor schedule endpoints (#185) 2022-10-13 20:54:38 +00:00
			`/**`
			`* @swagger`
			`* /schedules/{id}:`
			`* patch:`
			`* operationId: editScheduleById`
			`* summary: Edit an existing schedule`
			`* parameters:`
			`* - in: path`
			`* name: id`
			`* schema:`
			`* type: integer`
			`* required: true`
			`* description: ID of the schedule to edit`
			`* tags:`
			`* - schedules`
			`* responses:`
			`* 201:`
			`* description: OK, schedule edited successfully`
			`* 400:`
			`* description: Bad request. Schedule body is invalid.`
			`* 401:`
			`* description: Authorization information is missing or invalid.`
			`*/`
			`export async function patchHandler(req: NextApiRequest) {`
			`const { prisma, query } = req;`
			`const { id } = schemaQueryIdParseInt.parse(query);`
			`const data = schemaSingleScheduleBodyParams.parse(req.body);`
Security Fixes (#224) Fixes - 2,3,4 security vulnerabilities reported in this message. https://calendso.slack.com/archives/C03127U5S5Q/p1671922033089329 More Fixes - Dont't allow a user to add a random attendee to a booking not owned by him - Don't allow a user to add a random cal user as an organizer of the booking. - Membership deletion should be as per the Privileges of Owner,Admin,Member 2023-01-04 22:17:47 +00:00			`await checkPermissions(req, data);`
Refactor schedule endpoints (#185) 2022-10-13 20:54:38 +00:00			`const result = await prisma.schedule.update({ where: { id }, data, include: { availability: true } });`
			`return { schedule: schemaSchedulePublic.parse(result) };`
			`}`

Security Fixes (#224) Fixes - 2,3,4 security vulnerabilities reported in this message. https://calendso.slack.com/archives/C03127U5S5Q/p1671922033089329 More Fixes - Dont't allow a user to add a random attendee to a booking not owned by him - Don't allow a user to add a random cal user as an organizer of the booking. - Membership deletion should be as per the Privileges of Owner,Admin,Member 2023-01-04 22:17:47 +00:00			`async function checkPermissions(req: NextApiRequest, body: z.infer<typeof schemaSingleScheduleBodyParams>) {`
			`const { isAdmin } = req;`
			`if (isAdmin) return;`
			`if (body.userId) {`
			`throw new HttpError({ statusCode: 403, message: "Non admin cannot change the owner of a schedule" });`
			`}`
			`//_auth-middleware takes care of verifying the ownership of schedule.`
			`}`

Refactor schedule endpoints (#185) 2022-10-13 20:54:38 +00:00			`export default defaultResponder(patchHandler);`