diff --git a/lib/helpers/verifyApiKey.ts b/lib/helpers/verifyApiKey.ts index 481b006849..08c0216737 100644 --- a/lib/helpers/verifyApiKey.ts +++ b/lib/helpers/verifyApiKey.ts @@ -4,12 +4,15 @@ import { NextMiddleware } from "next-api-middleware"; import { hashAPIKey } from "@calcom/ee/lib/api/apiKeys"; import prisma from "@calcom/prisma"; +import { isAdminGuard } from "@lib/utils/isAdmin"; + /** @todo figure how to use the one from `@calcom/types`fi */ /** @todo: remove once `@calcom/types` is updated with it.*/ declare module "next" { export interface NextApiRequest extends IncomingMessage { userId: number; method: string; + isAdmin: boolean; query: { [key: string]: string | string[] }; // eslint-disable-next-line @typescript-eslint/no-explicit-any session: any; @@ -41,5 +44,8 @@ export const verifyApiKey: NextMiddleware = async (req, res, next) => { if (!apiKey.userId) return res.status(404).json({ error: "No user found for this apiKey" }); /* We save the user id in the request for later use */ req.userId = apiKey.userId; + /* We save the isAdmin boolean here for later use */ + req.isAdmin = await isAdminGuard(req.userId); + await next(); }; diff --git a/lib/validations/booking.ts b/lib/validations/booking.ts index b61d6913fd..a7a8eab730 100644 --- a/lib/validations/booking.ts +++ b/lib/validations/booking.ts @@ -3,7 +3,6 @@ import { z } from "zod"; import { _BookingModel as Booking } from "@calcom/prisma/zod"; const schemaBookingBaseBodyParams = Booking.pick({ - uid: true, userId: true, eventTypeId: true, title: true, @@ -24,7 +23,6 @@ export const schemaBookingCreateBodyParams = schemaBookingBaseBodyParams.merge(s const schemaBookingEditParams = z .object({ - uid: z.string().optional(), title: z.string().optional(), startTime: z.date().optional(), endTime: z.date().optional(), diff --git a/pages/api/attendees/[id].ts b/pages/api/attendees/[id].ts index a1674d87a4..a72dbf5812 100644 --- a/pages/api/attendees/[id].ts +++ b/pages/api/attendees/[id].ts @@ -11,7 +11,7 @@ import { } from "@lib/validations/shared/queryIdTransformParseInt"; export async function attendeeById( - { method, query, body, userId }: NextApiRequest, + { method, query, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { const safeQuery = schemaQueryIdParseInt.safeParse(query); @@ -33,9 +33,11 @@ export async function attendeeById( .flat() .map((attendee) => attendee.id) ); - // @note: Here we make sure to only return attendee's of the user's own bookings. - if (!userBookingsAttendeeIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); - else { + // @note: Here we make sure to only return attendee's of the user's own bookings if the user is not an admin. + if (!isAdmin) { + if (!userBookingsAttendeeIds.includes(safeQuery.data.id)) + res.status(401).json({ message: "Unauthorized" }); + } else { switch (method) { /** * @swagger diff --git a/pages/api/attendees/index.ts b/pages/api/attendees/index.ts index eaae0b28ff..e4f3e54f79 100644 --- a/pages/api/attendees/index.ts +++ b/pages/api/attendees/index.ts @@ -1,24 +1,30 @@ import type { NextApiRequest, NextApiResponse } from "next"; -import db from "@calcom/prisma"; +import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { AttendeeResponse, AttendeesResponse } from "@lib/types"; import { schemaAttendeeCreateBodyParams, schemaAttendeeReadPublic } from "@lib/validations/attendee"; async function createOrlistAllAttendees( - { method, userId, body }: NextApiRequest, + { method, userId, body, isAdmin }: NextApiRequest, res: NextApiResponse ) { - const userBookings = await db.booking.findMany({ - where: { - userId, - }, - include: { - attendees: true, - }, - }); - const attendees = userBookings.map((booking) => booking.attendees).flat(); + let attendees; + if (!isAdmin) { + const userBookings = await prisma.booking.findMany({ + where: { + userId, + }, + include: { + attendees: true, + }, + }); + attendees = userBookings.map((booking) => booking.attendees).flat(); + } else { + const data = await prisma.attendee.findMany(); + attendees = data.map((attendee) => schemaAttendeeReadPublic.parse(attendee)); + } if (method === "GET") { /** * @swagger @@ -37,12 +43,7 @@ async function createOrlistAllAttendees( * description: No attendees were found */ if (attendees) res.status(200).json({ attendees }); - else - (error: Error) => - res.status(404).json({ - message: "No Attendees were found", - error, - }); + else (error: Error) => res.status(400).json({ error }); } else if (method === "POST") { /** * @swagger @@ -90,16 +91,39 @@ async function createOrlistAllAttendees( res.status(400).json({ message: "Invalid request body", error: safePost.error }); return; } - const userWithBookings = await db.user.findUnique({ where: { id: userId }, include: { bookings: true } }); - if (!userWithBookings) { - res.status(404).json({ message: "User not found" }); - return; - } - const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat(); - // Here we make sure to only return attendee's of the user's own bookings. - if (!userBookingIds.includes(safePost.data.bookingId)) res.status(401).json({ message: "Unauthorized" }); - else { - const data = await db.attendee.create({ + if (!isAdmin) { + const userWithBookings = await prisma.user.findUnique({ + where: { id: userId }, + include: { bookings: true }, + }); + if (!userWithBookings) { + res.status(404).json({ message: "User not found" }); + return; + } + const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat(); + // Here we make sure to only return attendee's of the user's own bookings. + if (!userBookingIds.includes(safePost.data.bookingId)) + res.status(401).json({ message: "Unauthorized" }); + else { + const data = await prisma.attendee.create({ + data: { + email: safePost.data.email, + name: safePost.data.name, + timeZone: safePost.data.timeZone, + booking: { connect: { id: safePost.data.bookingId } }, + }, + }); + const attendee = schemaAttendeeReadPublic.parse(data); + + if (attendee) { + res.status(201).json({ + attendee, + message: "Attendee created successfully", + }); + } else (error: Error) => res.status(400).json({ error }); + } + } else { + const data = await prisma.attendee.create({ data: { email: safePost.data.email, name: safePost.data.name, diff --git a/pages/api/bookings/[id].ts b/pages/api/bookings/[id].ts index 7e17c9613a..8603af73c8 100644 --- a/pages/api/bookings/[id].ts +++ b/pages/api/bookings/[id].ts @@ -11,7 +11,7 @@ import { } from "@lib/validations/shared/queryIdTransformParseInt"; export async function bookingById( - { method, query, body, userId }: NextApiRequest, + { method, query, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { const safeQuery = schemaQueryIdParseInt.safeParse(query); @@ -25,8 +25,10 @@ export async function bookingById( }); if (!userWithBookings) throw new Error("User not found"); const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat(); - if (!userBookingIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); - else { + + if (!isAdmin) { + if (!userBookingIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); + } else { switch (method) { /** * @swagger diff --git a/pages/api/bookings/index.ts b/pages/api/bookings/index.ts index ab85b339cd..560bca7b8e 100644 --- a/pages/api/bookings/index.ts +++ b/pages/api/bookings/index.ts @@ -12,7 +12,7 @@ import { schemaBookingCreateBodyParams, schemaBookingReadPublic } from "@lib/val import { schemaEventTypeReadPublic } from "@lib/validations/event-type"; async function createOrlistAllBookings( - { method, body, userId }: NextApiRequest, + { method, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { console.log("userIduserId", userId); @@ -33,16 +33,29 @@ async function createOrlistAllBookings( * 404: * description: No bookings were found */ - const data = await prisma.booking.findMany({ where: { userId } }); - const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking)); - console.log(`Bookings requested by ${userId}`); - if (bookings) res.status(200).json({ bookings }); - else - (error: Error) => - res.status(404).json({ - message: "No Bookings were found", - error, - }); + if (!isAdmin) { + const data = await prisma.booking.findMany({ where: { userId } }); + const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking)); + if (bookings) res.status(200).json({ bookings }); + else { + (error: Error) => + res.status(404).json({ + message: "No Bookings were found", + error, + }); + } + } else { + const data = await prisma.booking.findMany(); + const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking)); + if (bookings) res.status(200).json({ bookings }); + else { + (error: Error) => + res.status(404).json({ + message: "No Bookings were found", + error, + }); + } + } } else if (method === "POST") { /** * @swagger @@ -83,7 +96,9 @@ async function createOrlistAllBookings( res.status(400).json({ message: "Bad request. Booking body is invalid." }); return; } - safe.data.userId = userId; + if (!isAdmin) { + safe.data.userId = userId; + } const data = await prisma.booking.create({ data: { uid: uuidv4(), ...safe.data } }); const booking = schemaBookingReadPublic.parse(data); diff --git a/pages/api/event-types/[id].ts b/pages/api/event-types/[id].ts index 20ad84d776..013f9909be 100644 --- a/pages/api/event-types/[id].ts +++ b/pages/api/event-types/[id].ts @@ -11,7 +11,7 @@ import { } from "@lib/validations/shared/queryIdTransformParseInt"; export async function eventTypeById( - { method, query, body, userId }: NextApiRequest, + { method, query, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { const safeQuery = schemaQueryIdParseInt.safeParse(query); @@ -19,15 +19,15 @@ export async function eventTypeById( res.status(400).json({ message: "Your query was invalid" }); return; } - const data = await await prisma.user.findUnique({ + const data = await prisma.user.findUnique({ where: { id: userId }, rejectOnNotFound: true, select: { eventTypes: true }, }); const userEventTypes = data.eventTypes.map((eventType) => eventType.id); - - if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); - else { + if (!isAdmin) { + if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); + } else { switch (method) { /** * @swagger diff --git a/pages/api/event-types/index.ts b/pages/api/event-types/index.ts index 0e2467692f..dc6844e039 100644 --- a/pages/api/event-types/index.ts +++ b/pages/api/event-types/index.ts @@ -7,7 +7,7 @@ import { EventTypeResponse, EventTypesResponse } from "@lib/types"; import { schemaEventTypeCreateBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type"; async function createOrlistAllEventTypes( - { method, body, userId }: NextApiRequest, + { method, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { if (method === "GET") { @@ -29,20 +29,27 @@ async function createOrlistAllEventTypes( * 404: * description: No event types were found */ - const data = await prisma.user - .findUnique({ - where: { id: userId }, - rejectOnNotFound: true, - select: { eventTypes: true }, - }) - .catch((error) => res.status(404).json({ message: "No event types were found", error })); - if (data) res.status(200).json({ event_types: data.eventTypes }); - else - (error: Error) => - res.status(404).json({ - message: "No EventTypes were found", - error, - }); + if (!isAdmin) { + const data = await prisma.user + .findUnique({ + where: { id: userId }, + rejectOnNotFound: true, + select: { eventTypes: true }, + }) + .catch((error) => res.status(404).json({ message: "No event types were found", error })); + // @todo: add validations back schemaReadEventType.parse + if (data) res.status(200).json({ event_types: data.eventTypes }); + else + (error: Error) => + res.status(404).json({ + message: "No EventTypes were found", + error, + }); + } else { + const data = await prisma.eventType.findMany({}); + const event_types = data.map((eventType) => schemaEventTypeReadPublic.parse(eventType)); + if (event_types) res.status(200).json({ event_types }); + } } else if (method === "POST") { /** * @swagger @@ -92,17 +99,16 @@ async function createOrlistAllEventTypes( res.status(400).json({ message: "Invalid request body", error: safe.error }); return; } - - const data = await prisma.eventType.create({ data: { ...safe.data, userId } }); - const event_type = schemaEventTypeReadPublic.parse(data); - - if (data) res.status(201).json({ event_type, message: "EventType created successfully" }); - else - (error: Error) => - res.status(400).json({ - message: "Could not create new event type", - error, - }); + if (!isAdmin) { + const data = await prisma.eventType.create({ data: { ...safe.data, userId } }); + const event_type = schemaEventTypeReadPublic.parse(data); + if (data) res.status(201).json({ event_type, message: "EventType created successfully" }); + } else { + // if admin don't re-set userId from input + const data = await prisma.eventType.create({ data: { ...safe.data } }); + const event_type = schemaEventTypeReadPublic.parse(data); + if (data) res.status(201).json({ event_type, message: "EventType created successfully" }); + } } else res.status(405).json({ message: `Method ${method} not allowed` }); }