public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't allow team admins to give owner permissions (#221) 

Throw an error if a user of a team with ADMIN permission tries to change
permission to OWNER (Bug#3)

Co-authored-by: CarinaWolli <wollencarina@gmail.com>
pull/9078/head
Carina Wollendorfer 2022-12-20 18:45:24 +01:00 committed by GitHub
parent 12f19ff7c0
commit 161ebacfef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pages/api/memberships/[id]/_patch.ts
View File

@ -58,13 +58,20 @@ async function checkPermissions(req: NextApiRequest) {
if (isAdmin) return;
// Only the invited user can accept the invite
if ("accepted" in data && queryUserId !== userId)
throw new HttpError({ statusCode: 403, message: "Only the invited user can accept the invite" });
throw new HttpError({
statusCode: 403,
message: "Only the invited user can accept the invite",
});
// Only team OWNERS and ADMINS can modify `role`
if ("role" in data) {
const membership = await prisma.membership.findFirst({
where: { userId, teamId, role: { in: ["ADMIN", "OWNER"] } },
});
if (!membership) throw new HttpError({ statusCode: 403, message: "Forbidden" });
if (
!membership ||
(membership.role !== "OWNER" && req.body.role === "OWNER")
)
throw new HttpError({ statusCode: 403, message: "Forbidden" });
}
}