public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: invert 401 to throw early in attendees

pull/9078/head
Agusti Fernandez Pardo 2022-04-23 02:06:39 +02:00
parent 9cb2f9bc70
commit 307eddcbd5
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pages/api/attendees/[id].ts
View File

@ -100,7 +100,8 @@ export async function attendeeById(req: NextApiRequest, res: NextApiResponse<Att
const attendees = userBookings.map((booking) => booking.attendees).flat();
const attendeeIds = attendees.map((attendee) => attendee.id);
// Here we make sure to only return attendee's of the user's own bookings.
if (attendeeIds.includes(safeQuery.data.id)) {
if (!attendeeIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.attendee
@ -151,7 +152,7 @@ export async function attendeeById(req: NextApiRequest, res: NextApiResponse<Att
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(attendeeById));

5
pages/api/attendees/index.ts
View File

@ -76,7 +76,8 @@ async function createOrlistAllAttendees(
throw new Error("User not found");
}
const userBookingIds = userWithBookings.bookings.map((booking: any) => booking.id).flat();
if (userBookingIds.includes(bookingId)) {
if (!userBookingIds.includes(bookingId)) res.status(401).json({ message: "Unauthorized" });
else {
delete safe.data.bookingId;
const noBookingId = safe.data;
const data = await prisma.attendee.create({
@ -99,7 +100,7 @@ async function createOrlistAllAttendees(
error,
});
}
} else res.status(401).json({ message: "Unauthorized" });
}
} else res.status(405).json({ message: `Method ${method} not allowed` });
}