Make attendees id endpoint return only user owned resources
parent
75f5d881a5
commit
081b511e1e
|
@ -4,6 +4,7 @@ import prisma from "@calcom/prisma";
|
|||
|
||||
import { withMiddleware } from "@lib/helpers/withMiddleware";
|
||||
import type { AttendeeResponse } from "@lib/types";
|
||||
import { getCalcomUserId } from "@lib/utils/getCalcomUserId";
|
||||
import { schemaAttendeeBodyParams, schemaAttendeePublic } from "@lib/validations/attendee";
|
||||
import {
|
||||
schemaQueryIdParseInt,
|
||||
|
@ -83,8 +84,18 @@ export async function attendeeById(req: NextApiRequest, res: NextApiResponse<Att
|
|||
const { method, query, body } = req;
|
||||
const safeQuery = schemaQueryIdParseInt.safeParse(query);
|
||||
const safeBody = schemaAttendeeBodyParams.safeParse(body);
|
||||
if (!safeQuery.success) throw new Error("Invalid request query", safeQuery.error);
|
||||
|
||||
if (!safeQuery.success) {
|
||||
throw new Error("Invalid request query", safeQuery.error);
|
||||
}
|
||||
const userId = getCalcomUserId(res);
|
||||
const userBookings = await prisma.booking.findMany({
|
||||
where: { userId },
|
||||
include: { attendees: true },
|
||||
});
|
||||
const attendees = userBookings.map((booking) => booking.attendees).flat();
|
||||
const attendeeIds = attendees.map((attendee) => attendee.id);
|
||||
// Here we make sure to only return attendee's of the user's own bookings.
|
||||
if (attendeeIds.includes(safeQuery.data.id)) {
|
||||
switch (method) {
|
||||
case "GET":
|
||||
await prisma.attendee
|
||||
|
@ -92,21 +103,26 @@ export async function attendeeById(req: NextApiRequest, res: NextApiResponse<Att
|
|||
.then((data) => schemaAttendeePublic.parse(data))
|
||||
.then((attendee) => res.status(200).json({ attendee }))
|
||||
.catch((error: Error) =>
|
||||
res.status(404).json({ message: `Attendee with id: ${safeQuery.data.id} not found`, error })
|
||||
res.status(404).json({
|
||||
message: `Attendee with id: ${safeQuery.data.id} not found`,
|
||||
error,
|
||||
})
|
||||
);
|
||||
break;
|
||||
|
||||
case "PATCH":
|
||||
if (!safeBody.success) throw new Error("Invalid request body");
|
||||
if (!safeBody.success) {
|
||||
throw new Error("Invalid request body");
|
||||
}
|
||||
await prisma.attendee
|
||||
.update({
|
||||
where: { id: safeQuery.data.id },
|
||||
data: safeBody.data,
|
||||
})
|
||||
.update({ where: { id: safeQuery.data.id }, data: safeBody.data })
|
||||
.then((data) => schemaAttendeePublic.parse(data))
|
||||
.then((attendee) => res.status(200).json({ attendee }))
|
||||
.catch((error: Error) =>
|
||||
res.status(404).json({ message: `Attendee with id: ${safeQuery.data.id} not found`, error })
|
||||
res.status(404).json({
|
||||
message: `Attendee with id: ${safeQuery.data.id} not found`,
|
||||
error,
|
||||
})
|
||||
);
|
||||
break;
|
||||
|
||||
|
@ -114,10 +130,15 @@ export async function attendeeById(req: NextApiRequest, res: NextApiResponse<Att
|
|||
await prisma.attendee
|
||||
.delete({ where: { id: safeQuery.data.id } })
|
||||
.then(() =>
|
||||
res.status(200).json({ message: `Attendee with id: ${safeQuery.data.id} deleted successfully` })
|
||||
res.status(200).json({
|
||||
message: `Attendee with id: ${safeQuery.data.id} deleted successfully`,
|
||||
})
|
||||
)
|
||||
.catch((error: Error) =>
|
||||
res.status(404).json({ message: `Attendee with id: ${safeQuery.data.id} not found`, error })
|
||||
res.status(404).json({
|
||||
message: `Attendee with id: ${safeQuery.data.id} not found`,
|
||||
error,
|
||||
})
|
||||
);
|
||||
break;
|
||||
|
||||
|
@ -125,6 +146,7 @@ export async function attendeeById(req: NextApiRequest, res: NextApiResponse<Att
|
|||
res.status(405).json({ message: "Method not allowed" });
|
||||
break;
|
||||
}
|
||||
} else res.status(401).json({ message: "Unauthorized" });
|
||||
}
|
||||
|
||||
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(attendeeById));
|
||||
|
|
Loading…
Reference in New Issue