diff --git a/pages/api/bookings/_get.ts b/pages/api/bookings/_get.ts index 527af2718f..0a1b2e66c8 100644 --- a/pages/api/bookings/_get.ts +++ b/pages/api/bookings/_get.ts @@ -1,11 +1,10 @@ import { Prisma } from "@prisma/client"; -import type { NextApiRequest, NextApiResponse } from "next"; +import type { NextApiRequest } from "next"; -import { HttpError } from "@calcom/lib/http-error"; import { defaultResponder } from "@calcom/lib/server"; -import { BookingResponse, BookingsResponse } from "@lib/types"; import { schemaBookingReadPublic } from "@lib/validations/booking"; +import { schemaQuerySingleOrMultipleUserIds } from "@lib/validations/shared/queryUserId"; /** * @swagger @@ -23,15 +22,17 @@ import { schemaBookingReadPublic } from "@lib/validations/booking"; * 404: * description: No bookings were found */ -async function handler( - { userId, isAdmin, prisma }: NextApiRequest, - res: NextApiResponse -) { +async function handler(req: NextApiRequest) { + const { userId, isAdmin, prisma } = req; const args: Prisma.BookingFindManyArgs = isAdmin ? {} : { where: { userId } }; + /** Only admins can query other users */ + if (isAdmin && req.query.userId) { + const query = schemaQuerySingleOrMultipleUserIds.parse(req.query); + const userIds = Array.isArray(query.userId) ? query.userId : [query.userId || userId]; + args.where = { userId: { in: userIds } }; + } const data = await prisma.booking.findMany(args); - const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking)); - if (!bookings) throw new HttpError({ statusCode: 401, message: "No Bookings were found" }); - res.status(200).json({ bookings }); + return { bookings: data.map((booking) => schemaBookingReadPublic.parse(booking)) }; } export default defaultResponder(handler); diff --git a/pages/api/bookings/_post.ts b/pages/api/bookings/_post.ts index da7d473d39..8968d65ae7 100644 --- a/pages/api/bookings/_post.ts +++ b/pages/api/bookings/_post.ts @@ -93,7 +93,7 @@ async function handler( ); bookings = allBookings.map((book) => schemaBookingReadPublic.parse(book)); } else { - // Event type not recurring, ceating as single one + // Event type not recurring, creating as single one const data = await prisma.booking.create({ data: { uid: uuidv4(), diff --git a/pages/api/teams/[teamId]/_delete.ts b/pages/api/teams/[teamId]/_delete.ts index c372e5dd79..9b8e723a9c 100644 --- a/pages/api/teams/[teamId]/_delete.ts +++ b/pages/api/teams/[teamId]/_delete.ts @@ -29,15 +29,22 @@ import { schemaQueryTeamId } from "@lib/validations/shared/queryTeamId"; * description: Authorization information is missing or invalid. */ export async function deleteHandler(req: NextApiRequest) { - const { prisma, query, userId } = req; + const { prisma, query } = req; const { teamId } = schemaQueryTeamId.parse(query); + await checkPermissions(req); + await prisma.team.delete({ where: { id: teamId } }); + return { message: `Team with id: ${teamId} deleted successfully` }; +} + +async function checkPermissions(req: NextApiRequest) { + const { userId, prisma, isAdmin } = req; + const { teamId } = schemaQueryTeamId.parse(req.query); + if (isAdmin) return; /** Only OWNERS can delete teams */ const _team = await prisma.team.findFirst({ where: { id: teamId, members: { some: { userId, role: "OWNER" } } }, }); if (!_team) throw new HttpError({ statusCode: 401, message: "Unauthorized: OWNER required" }); - await prisma.team.delete({ where: { id: teamId } }); - return { message: `Team with id: ${teamId} deleted successfully` }; } export default defaultResponder(deleteHandler);