Impersonation fix (#4521)
* Impersonation fix * Update packages/features/ee/impersonation/lib/ImpersonationProvider.ts Co-authored-by: Omar López <zomars@me.com> * Fix zod schema * Early returns Co-authored-by: Omar López <zomars@me.com> Co-authored-by: Leo Giovanetti <hello@leog.me>pull/4564/head
parent
33e8198779
commit
546d0d50c4
|
@ -115,7 +115,7 @@ const providers: Provider[] = [
|
|||
};
|
||||
},
|
||||
}),
|
||||
// ImpersonationProvider,
|
||||
ImpersonationProvider,
|
||||
];
|
||||
|
||||
if (IS_GOOGLE_LOGIN_ENABLED) {
|
||||
|
|
|
@ -1,10 +1,13 @@
|
|||
import { User } from "@prisma/client";
|
||||
import CredentialsProvider from "next-auth/providers/credentials";
|
||||
import { getSession } from "next-auth/react";
|
||||
import { z } from "zod";
|
||||
|
||||
import prisma from "@calcom/prisma";
|
||||
|
||||
import { asNumberOrThrow } from "@lib/asStringOrNull";
|
||||
const teamIdschema = z.object({
|
||||
teamId: z.number(),
|
||||
});
|
||||
|
||||
const auditAndReturnNextUser = async (
|
||||
impersonatedUser: Pick<User, "id" | "username" | "email" | "name" | "role">,
|
||||
|
@ -50,7 +53,8 @@ const ImpersonationProvider = CredentialsProvider({
|
|||
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
|
||||
// @ts-ignore need to figure out how to correctly type this
|
||||
const session = await getSession({ req });
|
||||
const teamId = creds?.teamId ? asNumberOrThrow(creds.teamId) : undefined;
|
||||
// If teamId is present -> parse the teamId and throw error itn ot number. If not present teamId is set to undefined
|
||||
const teamId = creds?.teamId ? teamIdschema.parse(creds).teamId : undefined;
|
||||
|
||||
if (session?.user.username === creds?.username) {
|
||||
throw new Error("You cannot impersonate yourself.");
|
||||
|
@ -102,6 +106,8 @@ const ImpersonationProvider = CredentialsProvider({
|
|||
return auditAndReturnNextUser(impersonatedUser, session?.user.id as number);
|
||||
}
|
||||
|
||||
if (!teamId) throw new Error("You do not have permission to do this.");
|
||||
|
||||
// Check session
|
||||
const sessionUserFromDb = await prisma.user.findUnique({
|
||||
where: {
|
||||
|
|
Loading…
Reference in New Issue