From 12b7b3ecbf5486336ee5095924ddbdccc3102012 Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Sat, 4 Jun 2022 01:17:01 +0200 Subject: [PATCH 1/7] fix: add event-types admin endpoints --- pages/api/event-types/index.ts | 58 +++++++++++++++++++--------------- 1 file changed, 33 insertions(+), 25 deletions(-) diff --git a/pages/api/event-types/index.ts b/pages/api/event-types/index.ts index 0e2467692f..bfe8c3e7ee 100644 --- a/pages/api/event-types/index.ts +++ b/pages/api/event-types/index.ts @@ -4,12 +4,14 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { EventTypeResponse, EventTypesResponse } from "@lib/types"; +import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaEventTypeCreateBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type"; async function createOrlistAllEventTypes( { method, body, userId }: NextApiRequest, res: NextApiResponse ) { + const isAdmin = await isAdminGuard(userId); if (method === "GET") { /** * @swagger @@ -29,20 +31,27 @@ async function createOrlistAllEventTypes( * 404: * description: No event types were found */ - const data = await prisma.user - .findUnique({ - where: { id: userId }, - rejectOnNotFound: true, - select: { eventTypes: true }, - }) - .catch((error) => res.status(404).json({ message: "No event types were found", error })); - if (data) res.status(200).json({ event_types: data.eventTypes }); - else - (error: Error) => - res.status(404).json({ - message: "No EventTypes were found", - error, - }); + if (!isAdmin) { + const data = await prisma.user + .findUnique({ + where: { id: userId }, + rejectOnNotFound: true, + select: { eventTypes: true }, + }) + .catch((error) => res.status(404).json({ message: "No event types were found", error })); + // @todo: add validations back schemaReadEventType.parse + if (data) res.status(200).json({ event_types: data.eventTypes }); + else + (error: Error) => + res.status(404).json({ + message: "No EventTypes were found", + error, + }); + } else { + const data = await prisma.eventType.findMany({}); + const event_types = data.map((eventType) => schemaEventTypeReadPublic.parse(eventType)); + if (event_types) res.status(200).json({ event_types }); + } } else if (method === "POST") { /** * @swagger @@ -92,17 +101,16 @@ async function createOrlistAllEventTypes( res.status(400).json({ message: "Invalid request body", error: safe.error }); return; } - - const data = await prisma.eventType.create({ data: { ...safe.data, userId } }); - const event_type = schemaEventTypeReadPublic.parse(data); - - if (data) res.status(201).json({ event_type, message: "EventType created successfully" }); - else - (error: Error) => - res.status(400).json({ - message: "Could not create new event type", - error, - }); + if (!isAdmin) { + const data = await prisma.eventType.create({ data: { ...safe.data, userId } }); + const event_type = schemaEventTypeReadPublic.parse(data); + if (data) res.status(201).json({ event_type, message: "EventType created successfully" }); + } else { + // if admin don't re-set userId from input + const data = await prisma.eventType.create({ data: { ...safe.data } }); + const event_type = schemaEventTypeReadPublic.parse(data); + if (data) res.status(201).json({ event_type, message: "EventType created successfully" }); + } } else res.status(405).json({ message: `Method ${method} not allowed` }); } From 0fc374c810d282896aa41e2c3eb3374777c9cf69 Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Sat, 4 Jun 2022 01:32:05 +0200 Subject: [PATCH 2/7] feat: add admin endpoint support for event-types id --- pages/api/event-types/[id].ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pages/api/event-types/[id].ts b/pages/api/event-types/[id].ts index 20ad84d776..81cefb3ab7 100644 --- a/pages/api/event-types/[id].ts +++ b/pages/api/event-types/[id].ts @@ -4,6 +4,7 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import type { EventTypeResponse } from "@lib/types"; +import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaEventTypeEditBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type"; import { schemaQueryIdParseInt, @@ -14,19 +15,21 @@ export async function eventTypeById( { method, query, body, userId }: NextApiRequest, res: NextApiResponse ) { + const isAdmin = await isAdminGuard(userId); const safeQuery = schemaQueryIdParseInt.safeParse(query); if (!safeQuery.success) { res.status(400).json({ message: "Your query was invalid" }); return; } - const data = await await prisma.user.findUnique({ + const data = await prisma.user.findUnique({ where: { id: userId }, rejectOnNotFound: true, select: { eventTypes: true }, }); const userEventTypes = data.eventTypes.map((eventType) => eventType.id); - if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); + if (!isAdmin || !userEventTypes.includes(safeQuery.data.id)) + res.status(401).json({ message: "Unauthorized" }); else { switch (method) { /** From 0eed3e51e48c2ebb6ba8461d4f84308d56602e29 Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Sat, 4 Jun 2022 02:26:16 +0200 Subject: [PATCH 3/7] fix: only check event type ownership if not admin --- pages/api/event-types/[id].ts | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/pages/api/event-types/[id].ts b/pages/api/event-types/[id].ts index 81cefb3ab7..19435a0bc6 100644 --- a/pages/api/event-types/[id].ts +++ b/pages/api/event-types/[id].ts @@ -27,10 +27,9 @@ export async function eventTypeById( select: { eventTypes: true }, }); const userEventTypes = data.eventTypes.map((eventType) => eventType.id); - - if (!isAdmin || !userEventTypes.includes(safeQuery.data.id)) - res.status(401).json({ message: "Unauthorized" }); - else { + if (!isAdmin) { + if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); + } else { switch (method) { /** * @swagger From ed1bc8015acf4a02fded22856a9fd82eaade1462 Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Wed, 15 Jun 2022 20:43:35 +0200 Subject: [PATCH 4/7] feat: initial isAdmin work for events and attendees --- lib/helpers/verifyApiKey.ts | 6 +++ lib/validations/booking.ts | 1 - pages/api/attendees/[id].ts | 10 +++-- pages/api/attendees/index.ts | 79 ++++++++++++++++++++++------------ pages/api/bookings/index.ts | 2 +- pages/api/event-types/[id].ts | 4 +- pages/api/event-types/index.ts | 4 +- pages/api/users/[id].ts | 4 +- pages/api/users/index.ts | 4 +- 9 files changed, 69 insertions(+), 45 deletions(-) diff --git a/lib/helpers/verifyApiKey.ts b/lib/helpers/verifyApiKey.ts index c45f3d3c3f..c3977ca94f 100644 --- a/lib/helpers/verifyApiKey.ts +++ b/lib/helpers/verifyApiKey.ts @@ -4,12 +4,15 @@ import { NextMiddleware } from "next-api-middleware"; import { hashAPIKey } from "@calcom/ee/lib/api/apiKeys"; import prisma from "@calcom/prisma"; +import { isAdminGuard } from "@lib/utils/isAdmin"; + /** @todo figure how to use the one from `@calcom/types`fi */ /** @todo: remove once `@calcom/types` is updated with it.*/ declare module "next" { export interface NextApiRequest extends IncomingMessage { userId: number; method: string; + isAdmin: boolean; query: { [key: string]: string | string[] }; } } @@ -39,5 +42,8 @@ export const verifyApiKey: NextMiddleware = async (req, res, next) => { if (!apiKey.userId) return res.status(404).json({ error: "No user found for this apiKey" }); /* We save the user id in the request for later use */ req.userId = apiKey.userId; + /* We save the isAdmin boolean here for later use */ + req.isAdmin = await isAdminGuard(req.userId); + await next(); }; diff --git a/lib/validations/booking.ts b/lib/validations/booking.ts index b61d6913fd..a8a4b52c37 100644 --- a/lib/validations/booking.ts +++ b/lib/validations/booking.ts @@ -24,7 +24,6 @@ export const schemaBookingCreateBodyParams = schemaBookingBaseBodyParams.merge(s const schemaBookingEditParams = z .object({ - uid: z.string().optional(), title: z.string().optional(), startTime: z.date().optional(), endTime: z.date().optional(), diff --git a/pages/api/attendees/[id].ts b/pages/api/attendees/[id].ts index a1674d87a4..a72dbf5812 100644 --- a/pages/api/attendees/[id].ts +++ b/pages/api/attendees/[id].ts @@ -11,7 +11,7 @@ import { } from "@lib/validations/shared/queryIdTransformParseInt"; export async function attendeeById( - { method, query, body, userId }: NextApiRequest, + { method, query, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { const safeQuery = schemaQueryIdParseInt.safeParse(query); @@ -33,9 +33,11 @@ export async function attendeeById( .flat() .map((attendee) => attendee.id) ); - // @note: Here we make sure to only return attendee's of the user's own bookings. - if (!userBookingsAttendeeIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); - else { + // @note: Here we make sure to only return attendee's of the user's own bookings if the user is not an admin. + if (!isAdmin) { + if (!userBookingsAttendeeIds.includes(safeQuery.data.id)) + res.status(401).json({ message: "Unauthorized" }); + } else { switch (method) { /** * @swagger diff --git a/pages/api/attendees/index.ts b/pages/api/attendees/index.ts index eaae0b28ff..6b2c4fc415 100644 --- a/pages/api/attendees/index.ts +++ b/pages/api/attendees/index.ts @@ -1,24 +1,30 @@ import type { NextApiRequest, NextApiResponse } from "next"; -import db from "@calcom/prisma"; +import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { AttendeeResponse, AttendeesResponse } from "@lib/types"; import { schemaAttendeeCreateBodyParams, schemaAttendeeReadPublic } from "@lib/validations/attendee"; async function createOrlistAllAttendees( - { method, userId, body }: NextApiRequest, + { method, userId, body, isAdmin }: NextApiRequest, res: NextApiResponse ) { - const userBookings = await db.booking.findMany({ - where: { - userId, - }, - include: { - attendees: true, - }, - }); - const attendees = userBookings.map((booking) => booking.attendees).flat(); + let attendees; + if (!isAdmin) { + const userBookings = await prisma.booking.findMany({ + where: { + userId, + }, + include: { + attendees: true, + }, + }); + attendees = userBookings.map((booking) => booking.attendees).flat(); + } else { + const data = await prisma.attendee.findMany(); + attendees = data.map((attendee) => schemaAttendeeReadPublic.parse(attendee)); + } if (method === "GET") { /** * @swagger @@ -37,12 +43,7 @@ async function createOrlistAllAttendees( * description: No attendees were found */ if (attendees) res.status(200).json({ attendees }); - else - (error: Error) => - res.status(404).json({ - message: "No Attendees were found", - error, - }); + else (error: Error) => res.status(400).json({ error }); } else if (method === "POST") { /** * @swagger @@ -90,16 +91,40 @@ async function createOrlistAllAttendees( res.status(400).json({ message: "Invalid request body", error: safePost.error }); return; } - const userWithBookings = await db.user.findUnique({ where: { id: userId }, include: { bookings: true } }); - if (!userWithBookings) { - res.status(404).json({ message: "User not found" }); - return; - } - const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat(); - // Here we make sure to only return attendee's of the user's own bookings. - if (!userBookingIds.includes(safePost.data.bookingId)) res.status(401).json({ message: "Unauthorized" }); - else { - const data = await db.attendee.create({ + if (!isAdmin) { + const userWithBookings = await prisma.user.findUnique({ + where: { id: userId }, + include: { bookings: true }, + }); + if (!userWithBookings) { + res.status(404).json({ message: "User not found" }); + return; + } + const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat(); + // Here we make sure to only return attendee's of the user's own bookings. + if (!userBookingIds.includes(safePost.data.bookingId)) + res.status(401).json({ message: "Unauthorized" }); + else { + const data = await prisma.attendee.create({ + data: { + email: safePost.data.email, + name: safePost.data.name, + timeZone: safePost.data.timeZone, + booking: { connect: { id: safePost.data.bookingId } }, + }, + }); + const attendee = schemaAttendeeReadPublic.parse(data); + + if (attendee) { + res.status(201).json({ + attendee, + message: "Attendee created successfully", + }); + } else (error: Error) => res.status(400).json({ error }); + } + } else { + // @todo: check real availability times before booking + const data = await prisma.attendee.create({ data: { email: safePost.data.email, name: safePost.data.name, diff --git a/pages/api/bookings/index.ts b/pages/api/bookings/index.ts index ab85b339cd..47d9b80da3 100644 --- a/pages/api/bookings/index.ts +++ b/pages/api/bookings/index.ts @@ -12,7 +12,7 @@ import { schemaBookingCreateBodyParams, schemaBookingReadPublic } from "@lib/val import { schemaEventTypeReadPublic } from "@lib/validations/event-type"; async function createOrlistAllBookings( - { method, body, userId }: NextApiRequest, + { method, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { console.log("userIduserId", userId); diff --git a/pages/api/event-types/[id].ts b/pages/api/event-types/[id].ts index 19435a0bc6..013f9909be 100644 --- a/pages/api/event-types/[id].ts +++ b/pages/api/event-types/[id].ts @@ -4,7 +4,6 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import type { EventTypeResponse } from "@lib/types"; -import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaEventTypeEditBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type"; import { schemaQueryIdParseInt, @@ -12,10 +11,9 @@ import { } from "@lib/validations/shared/queryIdTransformParseInt"; export async function eventTypeById( - { method, query, body, userId }: NextApiRequest, + { method, query, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { - const isAdmin = await isAdminGuard(userId); const safeQuery = schemaQueryIdParseInt.safeParse(query); if (!safeQuery.success) { res.status(400).json({ message: "Your query was invalid" }); diff --git a/pages/api/event-types/index.ts b/pages/api/event-types/index.ts index bfe8c3e7ee..dc6844e039 100644 --- a/pages/api/event-types/index.ts +++ b/pages/api/event-types/index.ts @@ -4,14 +4,12 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { EventTypeResponse, EventTypesResponse } from "@lib/types"; -import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaEventTypeCreateBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type"; async function createOrlistAllEventTypes( - { method, body, userId }: NextApiRequest, + { method, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { - const isAdmin = await isAdminGuard(userId); if (method === "GET") { /** * @swagger diff --git a/pages/api/users/[id].ts b/pages/api/users/[id].ts index 65b864c652..bf70a7a785 100644 --- a/pages/api/users/[id].ts +++ b/pages/api/users/[id].ts @@ -4,7 +4,6 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import type { UserResponse } from "@lib/types"; -import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaQueryIdParseInt, withValidQueryIdTransformParseInt, @@ -12,7 +11,7 @@ import { import { schemaUserEditBodyParams, schemaUserReadPublic } from "@lib/validations/user"; export async function userById( - { method, query, body, userId }: NextApiRequest, + { method, query, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { const safeQuery = schemaQueryIdParseInt.safeParse(query); @@ -21,7 +20,6 @@ export async function userById( res.status(400).json({ message: "Your query was invalid" }); return; } - const isAdmin = await isAdminGuard(userId); // Here we only check for ownership of the user if the user is not admin, otherwise we let ADMIN's edit any user if (!isAdmin) { if (safeQuery.data.id !== userId) res.status(401).json({ message: "Unauthorized" }); diff --git a/pages/api/users/index.ts b/pages/api/users/index.ts index 3839ae21b6..d94f198ad8 100644 --- a/pages/api/users/index.ts +++ b/pages/api/users/index.ts @@ -4,7 +4,6 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { UserResponse, UsersResponse } from "@lib/types"; -import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaUserReadPublic, schemaUserCreateBodyParams } from "@lib/validations/user"; /** @@ -24,10 +23,9 @@ import { schemaUserReadPublic, schemaUserCreateBodyParams } from "@lib/validatio * description: No users were found */ async function getAllorCreateUser( - { userId, method, body }: NextApiRequest, + { userId, method, body, isAdmin }: NextApiRequest, res: NextApiResponse ) { - const isAdmin = await isAdminGuard(userId); if (method === "GET") { if (!isAdmin) { // If user is not ADMIN, return only his data. From 1d2e5f07ef6243f445d320c897584ecb762f338b Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Wed, 15 Jun 2022 21:10:19 +0200 Subject: [PATCH 5/7] feat: admin endpoints for bookings --- lib/validations/booking.ts | 1 - pages/api/bookings/[id].ts | 8 +++++--- pages/api/bookings/index.ts | 37 ++++++++++++++++++++++++++----------- 3 files changed, 31 insertions(+), 15 deletions(-) diff --git a/lib/validations/booking.ts b/lib/validations/booking.ts index a8a4b52c37..a7a8eab730 100644 --- a/lib/validations/booking.ts +++ b/lib/validations/booking.ts @@ -3,7 +3,6 @@ import { z } from "zod"; import { _BookingModel as Booking } from "@calcom/prisma/zod"; const schemaBookingBaseBodyParams = Booking.pick({ - uid: true, userId: true, eventTypeId: true, title: true, diff --git a/pages/api/bookings/[id].ts b/pages/api/bookings/[id].ts index 7e17c9613a..8603af73c8 100644 --- a/pages/api/bookings/[id].ts +++ b/pages/api/bookings/[id].ts @@ -11,7 +11,7 @@ import { } from "@lib/validations/shared/queryIdTransformParseInt"; export async function bookingById( - { method, query, body, userId }: NextApiRequest, + { method, query, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { const safeQuery = schemaQueryIdParseInt.safeParse(query); @@ -25,8 +25,10 @@ export async function bookingById( }); if (!userWithBookings) throw new Error("User not found"); const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat(); - if (!userBookingIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); - else { + + if (!isAdmin) { + if (!userBookingIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); + } else { switch (method) { /** * @swagger diff --git a/pages/api/bookings/index.ts b/pages/api/bookings/index.ts index 47d9b80da3..560bca7b8e 100644 --- a/pages/api/bookings/index.ts +++ b/pages/api/bookings/index.ts @@ -33,16 +33,29 @@ async function createOrlistAllBookings( * 404: * description: No bookings were found */ - const data = await prisma.booking.findMany({ where: { userId } }); - const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking)); - console.log(`Bookings requested by ${userId}`); - if (bookings) res.status(200).json({ bookings }); - else - (error: Error) => - res.status(404).json({ - message: "No Bookings were found", - error, - }); + if (!isAdmin) { + const data = await prisma.booking.findMany({ where: { userId } }); + const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking)); + if (bookings) res.status(200).json({ bookings }); + else { + (error: Error) => + res.status(404).json({ + message: "No Bookings were found", + error, + }); + } + } else { + const data = await prisma.booking.findMany(); + const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking)); + if (bookings) res.status(200).json({ bookings }); + else { + (error: Error) => + res.status(404).json({ + message: "No Bookings were found", + error, + }); + } + } } else if (method === "POST") { /** * @swagger @@ -83,7 +96,9 @@ async function createOrlistAllBookings( res.status(400).json({ message: "Bad request. Booking body is invalid." }); return; } - safe.data.userId = userId; + if (!isAdmin) { + safe.data.userId = userId; + } const data = await prisma.booking.create({ data: { uid: uuidv4(), ...safe.data } }); const booking = schemaBookingReadPublic.parse(data); From 8c3774e10018bd92596f5e81ca038d9670e4675a Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Wed, 15 Jun 2022 21:14:35 +0200 Subject: [PATCH 6/7] fix: remove comment --- pages/api/attendees/index.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/pages/api/attendees/index.ts b/pages/api/attendees/index.ts index 6b2c4fc415..e4f3e54f79 100644 --- a/pages/api/attendees/index.ts +++ b/pages/api/attendees/index.ts @@ -123,7 +123,6 @@ async function createOrlistAllAttendees( } else (error: Error) => res.status(400).json({ error }); } } else { - // @todo: check real availability times before booking const data = await prisma.attendee.create({ data: { email: safePost.data.email, From 26b9e9456824f514d2e451b33cbd434ab455d02f Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Wed, 15 Jun 2022 21:16:46 +0200 Subject: [PATCH 7/7] fix: undo changes in users --- pages/api/users/[id].ts | 4 +++- pages/api/users/index.ts | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/pages/api/users/[id].ts b/pages/api/users/[id].ts index bf70a7a785..65b864c652 100644 --- a/pages/api/users/[id].ts +++ b/pages/api/users/[id].ts @@ -4,6 +4,7 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import type { UserResponse } from "@lib/types"; +import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaQueryIdParseInt, withValidQueryIdTransformParseInt, @@ -11,7 +12,7 @@ import { import { schemaUserEditBodyParams, schemaUserReadPublic } from "@lib/validations/user"; export async function userById( - { method, query, body, userId, isAdmin }: NextApiRequest, + { method, query, body, userId }: NextApiRequest, res: NextApiResponse ) { const safeQuery = schemaQueryIdParseInt.safeParse(query); @@ -20,6 +21,7 @@ export async function userById( res.status(400).json({ message: "Your query was invalid" }); return; } + const isAdmin = await isAdminGuard(userId); // Here we only check for ownership of the user if the user is not admin, otherwise we let ADMIN's edit any user if (!isAdmin) { if (safeQuery.data.id !== userId) res.status(401).json({ message: "Unauthorized" }); diff --git a/pages/api/users/index.ts b/pages/api/users/index.ts index d94f198ad8..3839ae21b6 100644 --- a/pages/api/users/index.ts +++ b/pages/api/users/index.ts @@ -4,6 +4,7 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { UserResponse, UsersResponse } from "@lib/types"; +import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaUserReadPublic, schemaUserCreateBodyParams } from "@lib/validations/user"; /** @@ -23,9 +24,10 @@ import { schemaUserReadPublic, schemaUserCreateBodyParams } from "@lib/validatio * description: No users were found */ async function getAllorCreateUser( - { userId, method, body, isAdmin }: NextApiRequest, + { userId, method, body }: NextApiRequest, res: NextApiResponse ) { + const isAdmin = await isAdminGuard(userId); if (method === "GET") { if (!isAdmin) { // If user is not ADMIN, return only his data.