fix: saml update/delete only owner team (#2948)

Co-authored-by: Agusti Fernandez Pardo <git@agusti.me>
Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
pull/2962/head
Agusti Fernandez Pardo 2022-06-04 01:13:50 +02:00 committed by GitHub
parent 2c65e39482
commit 16836d0cfb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 3 deletions

View File

@ -14,6 +14,7 @@ import { checkRegularUsername } from "@lib/core/checkRegularUsername";
import { sendFeedbackEmail } from "@lib/emails/email-manager";
import jackson from "@lib/jackson";
import prisma from "@lib/prisma";
import { isTeamOwner } from "@lib/queries/teams";
import {
hostedCal,
isSAMLAdmin,
@ -849,9 +850,9 @@ const loggedInViewerRouter = createProtectedRouter()
encodedRawMetadata: z.string(),
teamId: z.union([z.number(), z.null(), z.undefined()]),
}),
async resolve({ input }) {
async resolve({ ctx, input }) {
const { encodedRawMetadata, teamId } = input;
if (teamId && !(await isTeamOwner(ctx.user?.id, teamId))) throw new TRPCError({ code: "UNAUTHORIZED" });
const { apiController } = await jackson();
try {
@ -872,8 +873,9 @@ const loggedInViewerRouter = createProtectedRouter()
input: z.object({
teamId: z.union([z.number(), z.null(), z.undefined()]),
}),
async resolve({ input }) {
async resolve({ ctx, input }) {
const { teamId } = input;
if (teamId && !(await isTeamOwner(ctx.user?.id, teamId))) throw new TRPCError({ code: "UNAUTHORIZED" });
const { apiController } = await jackson();