public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Permission fixes

pull/9078/head
zomars 2022-10-11 14:09:22 -06:00
parent 7aeb247b1a
commit 4ba0395efa
3 changed files with 22 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
pages/api/bookings/_get.ts
View File

@ -1,11 +1,10 @@
import { Prisma } from "@prisma/client";
import type { NextApiRequest, NextApiResponse } from "next";
import type { NextApiRequest } from "next";
import { HttpError } from "@calcom/lib/http-error";
import { defaultResponder } from "@calcom/lib/server";
import { BookingResponse, BookingsResponse } from "@lib/types";
import { schemaBookingReadPublic } from "@lib/validations/booking";
import { schemaQuerySingleOrMultipleUserIds } from "@lib/validations/shared/queryUserId";
/**
* @swagger
@ -23,15 +22,17 @@ import { schemaBookingReadPublic } from "@lib/validations/booking";
* 404:
* description: No bookings were found
*/
async function handler(
{ userId, isAdmin, prisma }: NextApiRequest,
res: NextApiResponse<BookingsResponse | BookingResponse>
) {
async function handler(req: NextApiRequest) {
const { userId, isAdmin, prisma } = req;
const args: Prisma.BookingFindManyArgs = isAdmin ? {} : { where: { userId } };
/** Only admins can query other users */
if (isAdmin && req.query.userId) {
const query = schemaQuerySingleOrMultipleUserIds.parse(req.query);
const userIds = Array.isArray(query.userId) ? query.userId : [query.userId || userId];
args.where = { userId: { in: userIds } };
}
const data = await prisma.booking.findMany(args);
const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking));
if (!bookings) throw new HttpError({ statusCode: 401, message: "No Bookings were found" });
res.status(200).json({ bookings });
return { bookings: data.map((booking) => schemaBookingReadPublic.parse(booking)) };
}
export default defaultResponder(handler);

2
pages/api/bookings/_post.ts
View File

@ -93,7 +93,7 @@ async function handler(
);
bookings = allBookings.map((book) => schemaBookingReadPublic.parse(book));
} else {
// Event type not recurring, ceating as single one
// Event type not recurring, creating as single one
const data = await prisma.booking.create({
data: {
uid: uuidv4(),

13
pages/api/teams/[teamId]/_delete.ts
View File

@ -29,15 +29,22 @@ import { schemaQueryTeamId } from "@lib/validations/shared/queryTeamId";
* description: Authorization information is missing or invalid.
*/
export async function deleteHandler(req: NextApiRequest) {
const { prisma, query, userId } = req;
const { prisma, query } = req;
const { teamId } = schemaQueryTeamId.parse(query);
await checkPermissions(req);
await prisma.team.delete({ where: { id: teamId } });
return { message: `Team with id: ${teamId} deleted successfully` };
}
async function checkPermissions(req: NextApiRequest) {
const { userId, prisma, isAdmin } = req;
const { teamId } = schemaQueryTeamId.parse(req.query);
if (isAdmin) return;
/** Only OWNERS can delete teams */
const _team = await prisma.team.findFirst({
where: { id: teamId, members: { some: { userId, role: "OWNER" } } },
});
if (!_team) throw new HttpError({ statusCode: 401, message: "Unauthorized: OWNER required" });
await prisma.team.delete({ where: { id: teamId } });
return { message: `Team with id: ${teamId} deleted successfully` };
}
export default defaultResponder(deleteHandler);