From 7eed1b2fa6da14c502aa63d07aaca4173a074af4 Mon Sep 17 00:00:00 2001
From: Chris <76668588+bytesbuffer@users.noreply.github.com>
Date: Sat, 18 Sep 2021 18:32:07 -0400
Subject: [PATCH] Prevent unauthorized event type access (#694)

Co-authored-by: Bailey Pumfleet <pumfleet@hey.com>
---
 pages/api/availability/eventtype.ts | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/pages/api/availability/eventtype.ts b/pages/api/availability/eventtype.ts
index 12bb015000..4ec9a4097e 100644
--- a/pages/api/availability/eventtype.ts
+++ b/pages/api/availability/eventtype.ts
@@ -10,6 +10,35 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
     return;
   }
 
+  if (!session.user?.id) {
+    console.error("Session is missing a user id");
+    return res.status(500).json({ message: "Something went wrong" });
+  }
+
+  if (req.method !== "POST") {
+    const event = await prisma.eventType.findUnique({
+      where: { id: req.body.id },
+      include: {
+        users: true,
+      },
+    });
+
+    if (!event) {
+      return res.status(404).json({ message: "No event exists matching that id." });
+    }
+
+    const isAuthorized =
+      event.userId === session.user.id ||
+      event.users.find((user) => {
+        return user.id === session.user?.id;
+      });
+
+    if (!isAuthorized) {
+      console.warn(`User ${session.user.id} attempted to an access an event ${event.id} they do not own.`);
+      return res.status(404).json({ message: "No event exists matching that id." });
+    }
+  }
+
   if (req.method == "PATCH" || req.method == "POST") {
     const data = {
       title: req.body.title,