diff --git a/README.md b/README.md index 480973762b..844008a152 100644 --- a/README.md +++ b/README.md @@ -142,7 +142,6 @@ tests/endpoint/resource.new.test.ts - Create new resource ## Models missing userId relation - daily-event-references -- destination-calendars ## Models from database that are not exposed diff --git a/pages/api/destination-calendars/[id].ts b/pages/api/destination-calendars/[id].ts index ef7712e525..62eb85810c 100644 --- a/pages/api/destination-calendars/[id].ts +++ b/pages/api/destination-calendars/[id].ts @@ -4,6 +4,7 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import type { DestinationCalendarResponse } from "@lib/types"; +import { getCalcomUserId } from "@lib/utils/getCalcomUserId"; import { schemaDestinationCalendarBodyParams, schemaDestinationCalendarPublic, @@ -96,53 +97,65 @@ export async function destionationCalendarById( const safeQuery = schemaQueryIdParseInt.safeParse(query); const safeBody = schemaDestinationCalendarBodyParams.safeParse(body); if (!safeQuery.success) throw new Error("Invalid request query", safeQuery.error); + const userId = getCalcomUserId(res); + const data = await prisma.destinationCalendar.findMany({ where: { userId } }); + const userDestinationCalendars = data.map((destinationCalendar) => destinationCalendar.id); + // FIXME: Should we also check ownership of bokingId and eventTypeId to avoid users cross-pollinating other users calendars. + // On a related note, moving from sequential integer IDs to UUIDs would be a good idea. and maybe help avoid having this problem. + if (userDestinationCalendars.includes(safeQuery.data.id)) { + switch (method) { + case "GET": + await prisma.destinationCalendar + .findUnique({ where: { id: safeQuery.data.id } }) + .then((data) => schemaDestinationCalendarPublic.parse(data)) + .then((destination_calendar) => res.status(200).json({ destination_calendar })) + .catch((error: Error) => + res.status(404).json({ + message: `DestinationCalendar with id: ${safeQuery.data.id} not found`, + error, + }) + ); + break; - switch (method) { - case "GET": - await prisma.destinationCalendar - .findUnique({ where: { id: safeQuery.data.id } }) - .then((data) => schemaDestinationCalendarPublic.parse(data)) - .then((destination_calendar) => res.status(200).json({ destination_calendar })) - .catch((error: Error) => - res - .status(404) - .json({ message: `DestinationCalendar with id: ${safeQuery.data.id} not found`, error }) - ); - break; + case "PATCH": + if (!safeBody.success) { + throw new Error("Invalid request body"); + } + await prisma.destinationCalendar + .update({ where: { id: safeQuery.data.id }, data: safeBody.data }) + .then((data) => schemaDestinationCalendarPublic.parse(data)) + .then((destination_calendar) => res.status(200).json({ destination_calendar })) + .catch((error: Error) => + res.status(404).json({ + message: `DestinationCalendar with id: ${safeQuery.data.id} not found`, + error, + }) + ); + break; - case "PATCH": - if (!safeBody.success) throw new Error("Invalid request body"); - await prisma.destinationCalendar - .update({ - where: { id: safeQuery.data.id }, - data: safeBody.data, - }) - .then((data) => schemaDestinationCalendarPublic.parse(data)) - .then((destination_calendar) => res.status(200).json({ destination_calendar })) - .catch((error: Error) => - res - .status(404) - .json({ message: `DestinationCalendar with id: ${safeQuery.data.id} not found`, error }) - ); - break; + case "DELETE": + await prisma.destinationCalendar + .delete({ + where: { id: safeQuery.data.id }, + }) + .then(() => + res.status(200).json({ + message: `DestinationCalendar with id: ${safeQuery.data.id} deleted`, + }) + ) + .catch((error: Error) => + res.status(404).json({ + message: `DestinationCalendar with id: ${safeQuery.data.id} not found`, + error, + }) + ); + break; - case "DELETE": - await prisma.destinationCalendar - .delete({ where: { id: safeQuery.data.id } }) - .then(() => - res.status(200).json({ message: `DestinationCalendar with id: ${safeQuery.data.id} deleted` }) - ) - .catch((error: Error) => - res - .status(404) - .json({ message: `DestinationCalendar with id: ${safeQuery.data.id} not found`, error }) - ); - break; - - default: - res.status(405).json({ message: "Method not allowed" }); - break; - } + default: + res.status(405).json({ message: "Method not allowed" }); + break; + } + } else res.status(401).json({ message: "Unauthorized" }); } export default withMiddleware("HTTP_GET_DELETE_PATCH")( diff --git a/pages/api/destination-calendars/index.ts b/pages/api/destination-calendars/index.ts index 3980b3e203..2b904dbc93 100644 --- a/pages/api/destination-calendars/index.ts +++ b/pages/api/destination-calendars/index.ts @@ -4,6 +4,7 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { DestinationCalendarResponse, DestinationCalendarsResponse } from "@lib/types"; +import { getCalcomUserId } from "@lib/utils/getCalcomUserId"; import { schemaDestinationCalendarBodyParams, schemaDestinationCalendarPublic, @@ -45,8 +46,10 @@ async function createOrlistAllDestinationCalendars( res: NextApiResponse ) { const { method } = req; + const userId = getCalcomUserId(res); + if (method === "GET") { - const data = await prisma.destinationCalendar.findMany(); + const data = await prisma.destinationCalendar.findMany({ where: { userId } }); const destination_calendars = data.map((destinationCalendar) => schemaDestinationCalendarPublic.parse(destinationCalendar) ); @@ -61,7 +64,7 @@ async function createOrlistAllDestinationCalendars( const safe = schemaDestinationCalendarBodyParams.safeParse(req.body); if (!safe.success) throw new Error("Invalid request body"); - const data = await prisma.destinationCalendar.create({ data: safe.data }); + const data = await prisma.destinationCalendar.create({ data: { ...safe.data, userId } }); const destination_calendar = schemaDestinationCalendarPublic.parse(data); if (destination_calendar)