public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Ensure users cannot delete teams they don’t own (#720) 

Co-authored-by: Bailey Pumfleet <pumfleet@hey.com>
pull/719/head^2
Chris 2021-09-22 06:43:32 -04:00 committed by GitHub
parent 8eb3a31af4
commit 1c2998fc13
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pages/api/teams/[team]/index.ts
View File

@ -1,5 +1,5 @@
import type { NextApiRequest, NextApiResponse } from "next";
import prisma from "../../../../lib/prisma";
import prisma from "@lib/prisma";
import { getSession } from "@lib/auth";
export default async function handler(req: NextApiRequest, res: NextApiResponse) {
@ -10,6 +10,23 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
// DELETE /api/teams/{team}
if (req.method === "DELETE") {
if (!session.user?.id) {
console.log("Received session token without a user id.");
return res.status(500).json({ message: "Something went wrong." });
}
const membership = await prisma.membership.findFirst({
where: {
userId: session.user.id,
teamId: parseInt(req.query.team as string),
},
});
if (!membership || membership.role !== "OWNER") {
console.log(`User ${session.user.id} tried deleting an organization they don't own.`);
return res.status(403).json({ message: "Forbidden." });
}
await prisma.membership.delete({
where: {
userId_teamId: { userId: session.user.id, teamId: parseInt(req.query.team) },