Permission fixes

pages/api/bookings/_get.ts

@@ -1,11 +1,10 @@
 import { Prisma } from "@prisma/client";
-import type { NextApiRequest, NextApiResponse } from "next";
+import type { NextApiRequest } from "next";
 
-import { HttpError } from "@calcom/lib/http-error";
 import { defaultResponder } from "@calcom/lib/server";
 
-import { BookingResponse, BookingsResponse } from "@lib/types";
 import { schemaBookingReadPublic } from "@lib/validations/booking";
+import { schemaQuerySingleOrMultipleUserIds } from "@lib/validations/shared/queryUserId";
 
 /**
  * @swagger
@@ -23,15 +22,17 @@ import { schemaBookingReadPublic } from "@lib/validations/booking";
  *       404:
  *         description: No bookings were found
  */
-async function handler(
+async function handler(req: NextApiRequest) {
-  { userId, isAdmin, prisma }: NextApiRequest,
+  const { userId, isAdmin, prisma } = req;
-  res: NextApiResponse<BookingsResponse | BookingResponse>
-) {
   const args: Prisma.BookingFindManyArgs = isAdmin ? {} : { where: { userId } };
+  /** Only admins can query other users */
+  if (isAdmin && req.query.userId) {
+    const query = schemaQuerySingleOrMultipleUserIds.parse(req.query);
+    const userIds = Array.isArray(query.userId) ? query.userId : [query.userId || userId];
+    args.where = { userId: { in: userIds } };
+  }
   const data = await prisma.booking.findMany(args);
-  const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking));
+  return { bookings: data.map((booking) => schemaBookingReadPublic.parse(booking)) };
-  if (!bookings) throw new HttpError({ statusCode: 401, message: "No Bookings were found" });
-  res.status(200).json({ bookings });
 }
 
 export default defaultResponder(handler);

pages/api/bookings/_post.ts

@@ -93,7 +93,7 @@ async function handler(
     );
     bookings = allBookings.map((book) => schemaBookingReadPublic.parse(book));
   } else {
-    // Event type not recurring, ceating as single one
+    // Event type not recurring, creating as single one
     const data = await prisma.booking.create({
       data: {
         uid: uuidv4(),

pages/api/teams/[teamId]/_delete.ts

@@ -29,15 +29,22 @@ import { schemaQueryTeamId } from "@lib/validations/shared/queryTeamId";
  *        description: Authorization information is missing or invalid.
  */
 export async function deleteHandler(req: NextApiRequest) {
-  const { prisma, query, userId } = req;
+  const { prisma, query } = req;
   const { teamId } = schemaQueryTeamId.parse(query);
+  await checkPermissions(req);
+  await prisma.team.delete({ where: { id: teamId } });
+  return { message: `Team with id: ${teamId} deleted successfully` };
+}
+
+async function checkPermissions(req: NextApiRequest) {
+  const { userId, prisma, isAdmin } = req;
+  const { teamId } = schemaQueryTeamId.parse(req.query);
+  if (isAdmin) return;
   /** Only OWNERS can delete teams */
   const _team = await prisma.team.findFirst({
     where: { id: teamId, members: { some: { userId, role: "OWNER" } } },
   });
   if (!_team) throw new HttpError({ statusCode: 401, message: "Unauthorized: OWNER required" });
-  await prisma.team.delete({ where: { id: teamId } });
-  return { message: `Team with id: ${teamId} deleted successfully` };
 }
 
 export default defaultResponder(deleteHandler);