fix: owners can't be edited by admins (#2942)

* fix: owners can't be edited by admins * fix: removec omment Co-authored-by: Agusti Fernandez Pardo <git@agusti.me> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
2022-06-02 17:39:23 +02:00 · 2022-06-02 17:39:23 +02:00 · 60d6c7be51
parent 0f273c5efc
commit 60d6c7be51
1 changed files with 9 additions and 3 deletions
--- a/apps/web/server/routers/viewer/teams.tsx
+++ b/apps/web/server/routers/viewer/teams.tsx
@ -175,13 +175,17 @@ export const viewerTeamsRouter = createProtectedRouter()
    }),
    async resolve({ ctx, input }) {
      if (!(await isTeamAdmin(ctx.user?.id, input.teamId))) throw new TRPCError({ code: "UNAUTHORIZED" });
-
+      // Only a team owner can remove another team owner.
+      if (
+        (await isTeamOwner(input.memberId, input.teamId)) &&
+        !(await isTeamOwner(ctx.user?.id, input.teamId))
+      )
+        throw new TRPCError({ code: "UNAUTHORIZED" });
      if (ctx.user?.id === input.memberId)
        throw new TRPCError({
          code: "FORBIDDEN",
          message: "You can not remove yourself from a team you own.",
        });
-
      await ctx.prisma.membership.delete({
        where: {
          userId_teamId: { userId: input.memberId, teamId: input.teamId },
@ -351,7 +355,9 @@ export const viewerTeamsRouter = createProtectedRouter()
    }),
    async resolve({ ctx, input }) {
      if (!(await isTeamAdmin(ctx.user?.id, input.teamId))) throw new TRPCError({ code: "UNAUTHORIZED" });
-
+      // Only owners can award owner role.
+      if (input.role === MembershipRole.OWNER && !(await isTeamOwner(ctx.user?.id, input.teamId)))
+        throw new TRPCError({ code: "UNAUTHORIZED" });
      const memberships = await ctx.prisma.membership.findMany({
        where: {
          teamId: input.teamId,