diff --git a/pages/api/schedules/[id].ts b/pages/api/schedules/[id].ts index 834a7138e2..5fab15f833 100644 --- a/pages/api/schedules/[id].ts +++ b/pages/api/schedules/[id].ts @@ -12,7 +12,10 @@ export async function scheduleById( { method, query, body, userId, isAdmin, prisma }: NextApiRequest, res: NextApiResponse ) { - if (body.userId && !isAdmin) res.status(401).json({ message: "Unauthorized" }); + if (body.userId && !isAdmin) { + res.status(401).json({ message: "Unauthorized" }); + return; + } const safeQuery = schemaQueryIdParseInt.safeParse(query); const safeBody = schemaScheduleBodyParams.safeParse(body); if (!safeQuery.success) { @@ -21,8 +24,10 @@ export async function scheduleById( } const userSchedules = await prisma.schedule.findMany({ where: { userId: body.userId || userId } }); const userScheduleIds = userSchedules.map((schedule) => schedule.id); - if (!userScheduleIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); - else { + if (!userScheduleIds.includes(safeQuery.data.id)) { + res.status(401).json({ message: "Unauthorized" }); + return; + } else { switch (method) { /** * @swagger diff --git a/pages/api/schedules/index.ts b/pages/api/schedules/index.ts index 8a23a6c121..0a35657d09 100644 --- a/pages/api/schedules/index.ts +++ b/pages/api/schedules/index.ts @@ -12,6 +12,7 @@ async function createOrlistAllSchedules( ) { if (body.userId && !isAdmin) { res.status(401).json({ message: "Unauthorized" }); + return; } else { if (method === "GET") { /** @@ -59,7 +60,10 @@ async function createOrlistAllSchedules( * description: Authorization information is missing or invalid. */ const safe = schemaScheduleBodyParams.safeParse(body); - if (body.userId && !isAdmin) res.status(401).json({ message: "Unauthorized" }); + if (body.userId && !isAdmin) { + res.status(401).json({ message: "Unauthorized" }); + return; + } if (!safe.success) { res.status(400).json({ message: "Invalid request body" });