public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make attendees id endpoint return only user owned resources

pull/9078/head
Agusti Fernandez Pardo 2022-04-11 15:20:38 +02:00
parent 75f5d881a5
commit 081b511e1e
1 changed files with 63 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
pages/api/attendees/[id].ts
View File

@ -4,6 +4,7 @@ import prisma from "@calcom/prisma";
import { withMiddleware } from "@lib/helpers/withMiddleware";
import type { AttendeeResponse } from "@lib/types";
import { getCalcomUserId } from "@lib/utils/getCalcomUserId";
import { schemaAttendeeBodyParams, schemaAttendeePublic } from "@lib/validations/attendee";
import {
schemaQueryIdParseInt,
@ -83,8 +84,18 @@ export async function attendeeById(req: NextApiRequest, res: NextApiResponse<Att
const { method, query, body } = req;
const safeQuery = schemaQueryIdParseInt.safeParse(query);
const safeBody = schemaAttendeeBodyParams.safeParse(body);
if (!safeQuery.success) throw new Error("Invalid request query", safeQuery.error);
if (!safeQuery.success) {
throw new Error("Invalid request query", safeQuery.error);
}
const userId = getCalcomUserId(res);
const userBookings = await prisma.booking.findMany({
where: { userId },
include: { attendees: true },
});
const attendees = userBookings.map((booking) => booking.attendees).flat();
const attendeeIds = attendees.map((attendee) => attendee.id);
// Here we make sure to only return attendee's of the user's own bookings.
if (attendeeIds.includes(safeQuery.data.id)) {
switch (method) {
case "GET":
await prisma.attendee
@ -92,21 +103,26 @@ export async function attendeeById(req: NextApiRequest, res: NextApiResponse<Att
.then((data) => schemaAttendeePublic.parse(data))
.then((attendee) => res.status(200).json({ attendee }))
.catch((error: Error) =>
res.status(404).json({ message: `Attendee with id: ${safeQuery.data.id} not found`, error })
res.status(404).json({
message: `Attendee with id: ${safeQuery.data.id} not found`,
error,
})
);
break;
case "PATCH":
if (!safeBody.success) throw new Error("Invalid request body");
if (!safeBody.success) {
throw new Error("Invalid request body");
}
await prisma.attendee
.update({
where: { id: safeQuery.data.id },
data: safeBody.data,
})
.update({ where: { id: safeQuery.data.id }, data: safeBody.data })
.then((data) => schemaAttendeePublic.parse(data))
.then((attendee) => res.status(200).json({ attendee }))
.catch((error: Error) =>
res.status(404).json({ message: `Attendee with id: ${safeQuery.data.id} not found`, error })
res.status(404).json({
message: `Attendee with id: ${safeQuery.data.id} not found`,
error,
})
);
break;
@ -114,10 +130,15 @@ export async function attendeeById(req: NextApiRequest, res: NextApiResponse<Att
await prisma.attendee
.delete({ where: { id: safeQuery.data.id } })
.then(() =>
res.status(200).json({ message: `Attendee with id: ${safeQuery.data.id} deleted successfully` })
res.status(200).json({
message: `Attendee with id: ${safeQuery.data.id} deleted successfully`,
})
)
.catch((error: Error) =>
res.status(404).json({ message: `Attendee with id: ${safeQuery.data.id} not found`, error })
res.status(404).json({
message: `Attendee with id: ${safeQuery.data.id} not found`,
error,
})
);
break;
@ -125,6 +146,7 @@ export async function attendeeById(req: NextApiRequest, res: NextApiResponse<Att
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(attendeeById));