public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Impersonation fix (#4521) 

* Impersonation fix

* Update packages/features/ee/impersonation/lib/ImpersonationProvider.ts

Co-authored-by: Omar López <zomars@me.com>

* Fix zod schema

* Early returns

Co-authored-by: Omar López <zomars@me.com>
Co-authored-by: Leo Giovanetti <hello@leog.me>
pull/4564/head
sean-brydon 2022-09-17 22:09:06 +01:00 committed by GitHub
parent 33e8198779
commit 546d0d50c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/web/pages/api/auth/[...nextauth].tsx
View File

@ -115,7 +115,7 @@ const providers: Provider[] = [
}; };
}, },
}), }),
// ImpersonationProvider, ImpersonationProvider,
]; ];
if (IS_GOOGLE_LOGIN_ENABLED) { if (IS_GOOGLE_LOGIN_ENABLED) {

10
packages/features/ee/impersonation/lib/ImpersonationProvider.ts
View File

@ -1,10 +1,13 @@
import { User } from "@prisma/client"; import { User } from "@prisma/client";
import CredentialsProvider from "next-auth/providers/credentials"; import CredentialsProvider from "next-auth/providers/credentials";
import { getSession } from "next-auth/react"; import { getSession } from "next-auth/react";
import { z } from "zod";
import prisma from "@calcom/prisma"; import prisma from "@calcom/prisma";
import { asNumberOrThrow } from "@lib/asStringOrNull"; const teamIdschema = z.object({
teamId: z.number(),
});
const auditAndReturnNextUser = async ( const auditAndReturnNextUser = async (
impersonatedUser: Pick<User, "id" | "username" | "email" | "name" | "role">, impersonatedUser: Pick<User, "id" | "username" | "email" | "name" | "role">,
@ -50,7 +53,8 @@ const ImpersonationProvider = CredentialsProvider({
// eslint-disable-next-line @typescript-eslint/ban-ts-comment // eslint-disable-next-line @typescript-eslint/ban-ts-comment
// @ts-ignore need to figure out how to correctly type this // @ts-ignore need to figure out how to correctly type this
const session = await getSession({ req }); const session = await getSession({ req });
const teamId = creds?.teamId ? asNumberOrThrow(creds.teamId) : undefined; // If teamId is present -> parse the teamId and throw error itn ot number. If not present teamId is set to undefined
const teamId = creds?.teamId ? teamIdschema.parse(creds).teamId : undefined;
if (session?.user.username === creds?.username) { if (session?.user.username === creds?.username) {
throw new Error("You cannot impersonate yourself."); throw new Error("You cannot impersonate yourself.");
@ -102,6 +106,8 @@ const ImpersonationProvider = CredentialsProvider({
return auditAndReturnNextUser(impersonatedUser, session?.user.id as number); return auditAndReturnNextUser(impersonatedUser, session?.user.id as number);
} }
if (!teamId) throw new Error("You do not have permission to do this.");
// Check session // Check session
const sessionUserFromDb = await prisma.user.findUnique({ const sessionUserFromDb = await prisma.user.findUnique({
where: { where: {