Merge pull request #107 from calcom/feat/admin-events

Feat: Add admin enpoints for event-types, bookings, attendees

lib/helpers/verifyApiKey.ts

@@ -4,12 +4,15 @@ import { NextMiddleware } from "next-api-middleware";
 import { hashAPIKey } from "@calcom/ee/lib/api/apiKeys";
 import prisma from "@calcom/prisma";
 
+import { isAdminGuard } from "@lib/utils/isAdmin";
+
 /** @todo figure how to use the one from `@calcom/types`fi */
 /** @todo: remove once `@calcom/types` is updated with it.*/
 declare module "next" {
   export interface NextApiRequest extends IncomingMessage {
     userId: number;
     method: string;
+    isAdmin: boolean;
     query: { [key: string]: string | string[] };
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     session: any;
@@ -41,5 +44,8 @@ export const verifyApiKey: NextMiddleware = async (req, res, next) => {
   if (!apiKey.userId) return res.status(404).json({ error: "No user found for this apiKey" });
   /* We save the user id in the request for later use */
   req.userId = apiKey.userId;
+  /* We save the isAdmin boolean here for later use */
+  req.isAdmin = await isAdminGuard(req.userId);
+
   await next();
 };

lib/validations/booking.ts

@@ -3,7 +3,6 @@ import { z } from "zod";
 import { _BookingModel as Booking } from "@calcom/prisma/zod";
 
 const schemaBookingBaseBodyParams = Booking.pick({
-  uid: true,
   userId: true,
   eventTypeId: true,
   title: true,
@@ -24,7 +23,6 @@ export const schemaBookingCreateBodyParams = schemaBookingBaseBodyParams.merge(s
 
 const schemaBookingEditParams = z
   .object({
-    uid: z.string().optional(),
     title: z.string().optional(),
     startTime: z.date().optional(),
     endTime: z.date().optional(),

pages/api/attendees/[id].ts

@@ -11,7 +11,7 @@ import {
 } from "@lib/validations/shared/queryIdTransformParseInt";
 
 export async function attendeeById(
-  { method, query, body, userId }: NextApiRequest,
+  { method, query, body, userId, isAdmin }: NextApiRequest,
   res: NextApiResponse<AttendeeResponse>
 ) {
   const safeQuery = schemaQueryIdParseInt.safeParse(query);
@@ -33,9 +33,11 @@ export async function attendeeById(
           .flat()
           .map((attendee) => attendee.id)
     );
-  // @note: Here we make sure to only return attendee's of the user's own bookings.
-  if (!userBookingsAttendeeIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
-  else {
+  // @note: Here we make sure to only return attendee's of the user's own bookings if the user is not an admin.
+  if (!isAdmin) {
+    if (!userBookingsAttendeeIds.includes(safeQuery.data.id))
+      res.status(401).json({ message: "Unauthorized" });
+  } else {
     switch (method) {
       /**
        * @swagger

pages/api/attendees/index.ts

@@ -1,24 +1,30 @@
 import type { NextApiRequest, NextApiResponse } from "next";
 
-import db from "@calcom/prisma";
+import prisma from "@calcom/prisma";
 
 import { withMiddleware } from "@lib/helpers/withMiddleware";
 import { AttendeeResponse, AttendeesResponse } from "@lib/types";
 import { schemaAttendeeCreateBodyParams, schemaAttendeeReadPublic } from "@lib/validations/attendee";
 
 async function createOrlistAllAttendees(
-  { method, userId, body }: NextApiRequest,
+  { method, userId, body, isAdmin }: NextApiRequest,
   res: NextApiResponse<AttendeesResponse | AttendeeResponse>
 ) {
-  const userBookings = await db.booking.findMany({
-    where: {
-      userId,
-    },
-    include: {
-      attendees: true,
-    },
-  });
-  const attendees = userBookings.map((booking) => booking.attendees).flat();
+  let attendees;
+  if (!isAdmin) {
+    const userBookings = await prisma.booking.findMany({
+      where: {
+        userId,
+      },
+      include: {
+        attendees: true,
+      },
+    });
+    attendees = userBookings.map((booking) => booking.attendees).flat();
+  } else {
+    const data = await prisma.attendee.findMany();
+    attendees = data.map((attendee) => schemaAttendeeReadPublic.parse(attendee));
+  }
   if (method === "GET") {
     /**
      * @swagger
@@ -37,12 +43,7 @@ async function createOrlistAllAttendees(
      *         description: No attendees were found
      */
     if (attendees) res.status(200).json({ attendees });
-    else
-      (error: Error) =>
-        res.status(404).json({
-          message: "No Attendees were found",
-          error,
-        });
+    else (error: Error) => res.status(400).json({ error });
   } else if (method === "POST") {
     /**
      * @swagger
@@ -90,16 +91,39 @@ async function createOrlistAllAttendees(
       res.status(400).json({ message: "Invalid request body", error: safePost.error });
       return;
     }
-    const userWithBookings = await db.user.findUnique({ where: { id: userId }, include: { bookings: true } });
-    if (!userWithBookings) {
-      res.status(404).json({ message: "User not found" });
-      return;
-    }
-    const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat();
-    // Here we make sure to only return attendee's of the user's own bookings.
-    if (!userBookingIds.includes(safePost.data.bookingId)) res.status(401).json({ message: "Unauthorized" });
-    else {
-      const data = await db.attendee.create({
+    if (!isAdmin) {
+      const userWithBookings = await prisma.user.findUnique({
+        where: { id: userId },
+        include: { bookings: true },
+      });
+      if (!userWithBookings) {
+        res.status(404).json({ message: "User not found" });
+        return;
+      }
+      const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat();
+      // Here we make sure to only return attendee's of the user's own bookings.
+      if (!userBookingIds.includes(safePost.data.bookingId))
+        res.status(401).json({ message: "Unauthorized" });
+      else {
+        const data = await prisma.attendee.create({
+          data: {
+            email: safePost.data.email,
+            name: safePost.data.name,
+            timeZone: safePost.data.timeZone,
+            booking: { connect: { id: safePost.data.bookingId } },
+          },
+        });
+        const attendee = schemaAttendeeReadPublic.parse(data);
+
+        if (attendee) {
+          res.status(201).json({
+            attendee,
+            message: "Attendee created successfully",
+          });
+        } else (error: Error) => res.status(400).json({ error });
+      }
+    } else {
+      const data = await prisma.attendee.create({
         data: {
           email: safePost.data.email,
           name: safePost.data.name,

pages/api/bookings/[id].ts

@@ -11,7 +11,7 @@ import {
 } from "@lib/validations/shared/queryIdTransformParseInt";
 
 export async function bookingById(
-  { method, query, body, userId }: NextApiRequest,
+  { method, query, body, userId, isAdmin }: NextApiRequest,
   res: NextApiResponse<BookingResponse>
 ) {
   const safeQuery = schemaQueryIdParseInt.safeParse(query);
@@ -25,8 +25,10 @@ export async function bookingById(
   });
   if (!userWithBookings) throw new Error("User not found");
   const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat();
-  if (!userBookingIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
-  else {
+
+  if (!isAdmin) {
+    if (!userBookingIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
+  } else {
     switch (method) {
       /**
        * @swagger

pages/api/bookings/index.ts

@@ -12,7 +12,7 @@ import { schemaBookingCreateBodyParams, schemaBookingReadPublic } from "@lib/val
 import { schemaEventTypeReadPublic } from "@lib/validations/event-type";
 
 async function createOrlistAllBookings(
-  { method, body, userId }: NextApiRequest,
+  { method, body, userId, isAdmin }: NextApiRequest,
   res: NextApiResponse<BookingsResponse | BookingResponse>
 ) {
   console.log("userIduserId", userId);
@@ -33,16 +33,29 @@ async function createOrlistAllBookings(
      *       404:
      *         description: No bookings were found
      */
-    const data = await prisma.booking.findMany({ where: { userId } });
-    const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking));
-    console.log(`Bookings requested by ${userId}`);
-    if (bookings) res.status(200).json({ bookings });
-    else
-      (error: Error) =>
-        res.status(404).json({
-          message: "No Bookings were found",
-          error,
-        });
+    if (!isAdmin) {
+      const data = await prisma.booking.findMany({ where: { userId } });
+      const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking));
+      if (bookings) res.status(200).json({ bookings });
+      else {
+        (error: Error) =>
+          res.status(404).json({
+            message: "No Bookings were found",
+            error,
+          });
+      }
+    } else {
+      const data = await prisma.booking.findMany();
+      const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking));
+      if (bookings) res.status(200).json({ bookings });
+      else {
+        (error: Error) =>
+          res.status(404).json({
+            message: "No Bookings were found",
+            error,
+          });
+      }
+    }
   } else if (method === "POST") {
     /**
      * @swagger
@@ -83,7 +96,9 @@ async function createOrlistAllBookings(
       res.status(400).json({ message: "Bad request. Booking body is invalid." });
       return;
     }
-    safe.data.userId = userId;
+    if (!isAdmin) {
+      safe.data.userId = userId;
+    }
     const data = await prisma.booking.create({ data: { uid: uuidv4(), ...safe.data } });
     const booking = schemaBookingReadPublic.parse(data);
 

pages/api/event-types/[id].ts

@@ -11,7 +11,7 @@ import {
 } from "@lib/validations/shared/queryIdTransformParseInt";
 
 export async function eventTypeById(
-  { method, query, body, userId }: NextApiRequest,
+  { method, query, body, userId, isAdmin }: NextApiRequest,
   res: NextApiResponse<EventTypeResponse>
 ) {
   const safeQuery = schemaQueryIdParseInt.safeParse(query);
@@ -19,15 +19,15 @@ export async function eventTypeById(
     res.status(400).json({ message: "Your query was invalid" });
     return;
   }
-  const data = await await prisma.user.findUnique({
+  const data = await prisma.user.findUnique({
     where: { id: userId },
     rejectOnNotFound: true,
     select: { eventTypes: true },
   });
   const userEventTypes = data.eventTypes.map((eventType) => eventType.id);
-
-  if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
-  else {
+  if (!isAdmin) {
+    if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
+  } else {
     switch (method) {
       /**
        * @swagger

pages/api/event-types/index.ts

@@ -7,7 +7,7 @@ import { EventTypeResponse, EventTypesResponse } from "@lib/types";
 import { schemaEventTypeCreateBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type";
 
 async function createOrlistAllEventTypes(
-  { method, body, userId }: NextApiRequest,
+  { method, body, userId, isAdmin }: NextApiRequest,
   res: NextApiResponse<EventTypesResponse | EventTypeResponse>
 ) {
   if (method === "GET") {
@@ -29,20 +29,27 @@ async function createOrlistAllEventTypes(
      *       404:
      *         description: No event types were found
      */
-    const data = await prisma.user
-      .findUnique({
-        where: { id: userId },
-        rejectOnNotFound: true,
-        select: { eventTypes: true },
-      })
-      .catch((error) => res.status(404).json({ message: "No event types were found", error }));
-    if (data) res.status(200).json({ event_types: data.eventTypes });
-    else
-      (error: Error) =>
-        res.status(404).json({
-          message: "No EventTypes were found",
-          error,
-        });
+    if (!isAdmin) {
+      const data = await prisma.user
+        .findUnique({
+          where: { id: userId },
+          rejectOnNotFound: true,
+          select: { eventTypes: true },
+        })
+        .catch((error) => res.status(404).json({ message: "No event types were found", error }));
+      // @todo: add validations back schemaReadEventType.parse
+      if (data) res.status(200).json({ event_types: data.eventTypes });
+      else
+        (error: Error) =>
+          res.status(404).json({
+            message: "No EventTypes were found",
+            error,
+          });
+    } else {
+      const data = await prisma.eventType.findMany({});
+      const event_types = data.map((eventType) => schemaEventTypeReadPublic.parse(eventType));
+      if (event_types) res.status(200).json({ event_types });
+    }
   } else if (method === "POST") {
     /**
      * @swagger
@@ -92,17 +99,16 @@ async function createOrlistAllEventTypes(
       res.status(400).json({ message: "Invalid request body", error: safe.error });
       return;
     }
-
-    const data = await prisma.eventType.create({ data: { ...safe.data, userId } });
-    const event_type = schemaEventTypeReadPublic.parse(data);
-
-    if (data) res.status(201).json({ event_type, message: "EventType created successfully" });
-    else
-      (error: Error) =>
-        res.status(400).json({
-          message: "Could not create new event type",
-          error,
-        });
+    if (!isAdmin) {
+      const data = await prisma.eventType.create({ data: { ...safe.data, userId } });
+      const event_type = schemaEventTypeReadPublic.parse(data);
+      if (data) res.status(201).json({ event_type, message: "EventType created successfully" });
+    } else {
+      // if admin don't re-set userId from input
+      const data = await prisma.eventType.create({ data: { ...safe.data } });
+      const event_type = schemaEventTypeReadPublic.parse(data);
+      if (data) res.status(201).json({ event_type, message: "EventType created successfully" });
+    }
   } else res.status(405).json({ message: `Method ${method} not allowed` });
 }