Impersonation fix (#4521)
* Impersonation fix * Update packages/features/ee/impersonation/lib/ImpersonationProvider.ts Co-authored-by: Omar López <zomars@me.com> * Fix zod schema * Early returns Co-authored-by: Omar López <zomars@me.com> Co-authored-by: Leo Giovanetti <hello@leog.me>pull/4564/head
parent
33e8198779
commit
546d0d50c4
|
@ -115,7 +115,7 @@ const providers: Provider[] = [
|
||||||
};
|
};
|
||||||
},
|
},
|
||||||
}),
|
}),
|
||||||
// ImpersonationProvider,
|
ImpersonationProvider,
|
||||||
];
|
];
|
||||||
|
|
||||||
if (IS_GOOGLE_LOGIN_ENABLED) {
|
if (IS_GOOGLE_LOGIN_ENABLED) {
|
||||||
|
|
|
@ -1,10 +1,13 @@
|
||||||
import { User } from "@prisma/client";
|
import { User } from "@prisma/client";
|
||||||
import CredentialsProvider from "next-auth/providers/credentials";
|
import CredentialsProvider from "next-auth/providers/credentials";
|
||||||
import { getSession } from "next-auth/react";
|
import { getSession } from "next-auth/react";
|
||||||
|
import { z } from "zod";
|
||||||
|
|
||||||
import prisma from "@calcom/prisma";
|
import prisma from "@calcom/prisma";
|
||||||
|
|
||||||
import { asNumberOrThrow } from "@lib/asStringOrNull";
|
const teamIdschema = z.object({
|
||||||
|
teamId: z.number(),
|
||||||
|
});
|
||||||
|
|
||||||
const auditAndReturnNextUser = async (
|
const auditAndReturnNextUser = async (
|
||||||
impersonatedUser: Pick<User, "id" | "username" | "email" | "name" | "role">,
|
impersonatedUser: Pick<User, "id" | "username" | "email" | "name" | "role">,
|
||||||
|
@ -50,7 +53,8 @@ const ImpersonationProvider = CredentialsProvider({
|
||||||
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
|
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
|
||||||
// @ts-ignore need to figure out how to correctly type this
|
// @ts-ignore need to figure out how to correctly type this
|
||||||
const session = await getSession({ req });
|
const session = await getSession({ req });
|
||||||
const teamId = creds?.teamId ? asNumberOrThrow(creds.teamId) : undefined;
|
// If teamId is present -> parse the teamId and throw error itn ot number. If not present teamId is set to undefined
|
||||||
|
const teamId = creds?.teamId ? teamIdschema.parse(creds).teamId : undefined;
|
||||||
|
|
||||||
if (session?.user.username === creds?.username) {
|
if (session?.user.username === creds?.username) {
|
||||||
throw new Error("You cannot impersonate yourself.");
|
throw new Error("You cannot impersonate yourself.");
|
||||||
|
@ -102,6 +106,8 @@ const ImpersonationProvider = CredentialsProvider({
|
||||||
return auditAndReturnNextUser(impersonatedUser, session?.user.id as number);
|
return auditAndReturnNextUser(impersonatedUser, session?.user.id as number);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!teamId) throw new Error("You do not have permission to do this.");
|
||||||
|
|
||||||
// Check session
|
// Check session
|
||||||
const sessionUserFromDb = await prisma.user.findUnique({
|
const sessionUserFromDb = await prisma.user.findUnique({
|
||||||
where: {
|
where: {
|
||||||
|
|
Loading…
Reference in New Issue