From 2a7a111855411ae156a3d69b231066cc9464cfd7 Mon Sep 17 00:00:00 2001
From: Joe Au-Yeung <j.auyeung419@gmail.com>
Date: Thu, 6 Oct 2022 14:38:17 -0400
Subject: [PATCH] Safe parse for userId

---
 lib/validations/schedule.ts |  9 ++++++---
 pages/api/schedules/[id].ts | 14 +++++++++-----
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/lib/validations/schedule.ts b/lib/validations/schedule.ts
index 4e8e983094..32edcdae63 100644
--- a/lib/validations/schedule.ts
+++ b/lib/validations/schedule.ts
@@ -1,11 +1,12 @@
 import { z } from "zod";
 
-import { _ScheduleModel as Schedule } from "@calcom/prisma/zod";
+import { _ScheduleModel as Schedule, _AvailabilityModel as Availability } from "@calcom/prisma/zod";
 
 const schemaScheduleBaseBodyParams = Schedule.omit({ id: true }).partial();
 
 const schemaScheduleRequiredParams = z.object({
-  name: z.string(),
+  name: z.string().optional(),
+  userId: z.union([z.number(), z.array(z.number())]).optional(),
 });
 
 export const schemaScheduleBodyParams = schemaScheduleBaseBodyParams.merge(schemaScheduleRequiredParams);
@@ -15,6 +16,8 @@ export const schemaSchedulePublic = z
   .merge(Schedule)
   .merge(
     z.object({
-      availability: z.array(z.object({ id: z.number() })).optional(),
+      availability: z
+        .array(Availability.pick({ id: true, eventTypeId: true, days: true, startTime: true, endTime: true }))
+        .optional(),
     })
   );
diff --git a/pages/api/schedules/[id].ts b/pages/api/schedules/[id].ts
index 5fab15f833..f92392fa3f 100644
--- a/pages/api/schedules/[id].ts
+++ b/pages/api/schedules/[id].ts
@@ -12,17 +12,18 @@ export async function scheduleById(
   { method, query, body, userId, isAdmin, prisma }: NextApiRequest,
   res: NextApiResponse<ScheduleResponse>
 ) {
-  if (body.userId && !isAdmin) {
+  const safeQuery = schemaQueryIdParseInt.safeParse(query);
+  const safeBody = schemaScheduleBodyParams.safeParse(body);
+
+  if (safeBody.data.userId && !isAdmin) {
     res.status(401).json({ message: "Unauthorized" });
     return;
   }
-  const safeQuery = schemaQueryIdParseInt.safeParse(query);
-  const safeBody = schemaScheduleBodyParams.safeParse(body);
   if (!safeQuery.success) {
     res.status(400).json({ message: "Your query was invalid" });
     return;
   }
-  const userSchedules = await prisma.schedule.findMany({ where: { userId: body.userId || userId } });
+  const userSchedules = await prisma.schedule.findMany({ where: { userId: safeBody.data.userId || userId } });
   const userScheduleIds = userSchedules.map((schedule) => schedule.id);
   if (!userScheduleIds.includes(safeQuery.data.id)) {
     res.status(401).json({ message: "Unauthorized" });
@@ -56,7 +57,7 @@ export async function scheduleById(
         await prisma.schedule
           .findUnique({
             where: { id: safeQuery.data.id },
-            include: { availability: { select: { id: true } } },
+            include: { availability: true },
           })
           .then((data) => schemaSchedulePublic.parse(data))
           .then((schedule) => res.status(200).json({ schedule }))
@@ -98,6 +99,9 @@ export async function scheduleById(
             return;
           }
         }
+
+        delete safeBody.data.userId;
+
         await prisma.schedule
           .update({ where: { id: safeQuery.data.id }, data: safeBody.data })
           .then((data) => schemaSchedulePublic.parse(data))