diff --git a/pages/api/event-types/[id].ts b/pages/api/event-types/[id].ts index dd9ac1a4d9..bd8c823489 100644 --- a/pages/api/event-types/[id].ts +++ b/pages/api/event-types/[id].ts @@ -12,19 +12,24 @@ export async function eventTypeById( { method, query, body, userId, isAdmin, prisma }: NextApiRequest, res: NextApiResponse ) { + if (body.userId && !isAdmin) { + res.status(401).json({ message: "Unauthorized" }); + return; + } const safeQuery = schemaQueryIdParseInt.safeParse(query); if (!safeQuery.success) { res.status(400).json({ message: "Your query was invalid" }); return; } const data = await prisma.user.findUnique({ - where: { id: userId }, + where: { id: body.userId || userId }, rejectOnNotFound: true, select: { eventTypes: true }, }); const userEventTypes = data.eventTypes.map((eventType) => eventType.id); - if (!isAdmin) { - if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); + if (!userEventTypes.includes(safeQuery.data.id)) { + res.status(401).json({ message: "Unauthorized" }); + return; } else { switch (method) { /** @@ -96,6 +101,7 @@ export async function eventTypeById( */ case "PATCH": const safeBody = schemaEventTypeEditBodyParams.safeParse(body); + if (!safeBody.success) { { res.status(400).json({ message: "Invalid request body" }); diff --git a/pages/api/event-types/index.ts b/pages/api/event-types/index.ts index fc05909e2c..d5a203e67d 100644 --- a/pages/api/event-types/index.ts +++ b/pages/api/event-types/index.ts @@ -44,7 +44,14 @@ async function createOrlistAllEventTypes( error, }); } else { - const data = await prisma.eventType.findMany({}); + const data = await prisma.eventType.findMany({ + where: { + ...(Array.isArray(body.userId) + ? { userId: { in: body.userId } } + : { userId: body.userId || userId }), + }, + ...(Array.isArray(body.userId) && { orderBy: { userId: "asc" } }), + }); const event_types = data.map((eventType) => schemaEventTypeReadPublic.parse(eventType)); if (event_types) res.status(200).json({ event_types }); }