feat: make booking-references only return user booking related resources

pages/api/booking-references/[id].ts

@@ -1,9 +1,11 @@
+import { BookingModel } from "@/../../packages/prisma/zod";
 import type { NextApiRequest, NextApiResponse } from "next";
 
 import prisma from "@calcom/prisma";
 
 import { withMiddleware } from "@lib/helpers/withMiddleware";
 import type { BookingReferenceResponse } from "@lib/types";
+import { getCalcomUserId } from "@lib/utils/getCalcomUserId";
 import {
   schemaBookingReferenceBodyParams,
   schemaBookingReferencePublic,
@@ -91,47 +93,70 @@ export async function bookingReferenceById(
   const safeBody = schemaBookingReferenceBodyParams.safeParse(body);
   if (!safeQuery.success) throw new Error("Invalid request query", safeQuery.error);
   // FIXME: Allow only userId owner of booking ref to edit it
+  const userId = await getCalcomUserId(res);
+  const userWithBookings = await prisma.user.findUnique({
+    where: { id: userId },
+    include: { bookings: true },
+  });
+  if (!userWithBookings) throw new Error("User not found");
+  const userBookingIds = userWithBookings.bookings.map((booking: any) => booking.id).flat();
+  console.log(userBookingIds);
+  const bookingReference = await prisma.bookingReference.findUnique({ where: { id: safeQuery.data.id } });
+  if (!bookingReference) throw new Error("BookingReference not found");
+  if (userBookingIds.includes(bookingReference.bookingId)) {
+    switch (method) {
+      case "GET":
+        await prisma.bookingReference
+          .findUnique({ where: { id: safeQuery.data.id } })
+          .then((data) => schemaBookingReferencePublic.parse(data))
+          .then((booking_reference) => res.status(200).json({ booking_reference }))
+          .catch((error: Error) =>
+            res.status(404).json({
+              message: `BookingReference with id: ${safeQuery.data.id} not found`,
+              error,
+            })
+          );
+        break;
 
-  switch (method) {
-    case "GET":
-      await prisma.bookingReference
-        .findUnique({ where: { id: safeQuery.data.id } })
-        .then((data) => schemaBookingReferencePublic.parse(data))
-        .then((booking_reference) => res.status(200).json({ booking_reference }))
-        .catch((error: Error) =>
-          res.status(404).json({ message: `BookingReference with id: ${safeQuery.data.id} not found`, error })
-        );
-      break;
+      case "PATCH":
+        if (!safeBody.success) {
+          throw new Error("Invalid request body");
+        }
+        await prisma.bookingReference
+          .update({ where: { id: safeQuery.data.id }, data: safeBody.data })
+          .then((data) => schemaBookingReferencePublic.parse(data))
+          .then((booking_reference) => res.status(200).json({ booking_reference }))
+          .catch((error: Error) =>
+            res.status(404).json({
+              message: `BookingReference with id: ${safeQuery.data.id} not found`,
+              error,
+            })
+          );
+        break;
 
-    case "PATCH":
-      if (!safeBody.success) throw new Error("Invalid request body");
-      await prisma.bookingReference
-        .update({
-          where: { id: safeQuery.data.id },
-          data: safeBody.data,
-        })
-        .then((data) => schemaBookingReferencePublic.parse(data))
-        .then((booking_reference) => res.status(200).json({ booking_reference }))
-        .catch((error: Error) =>
-          res.status(404).json({ message: `BookingReference with id: ${safeQuery.data.id} not found`, error })
-        );
-      break;
+      case "DELETE":
+        await prisma.bookingReference
+          .delete({
+            where: { id: safeQuery.data.id },
+          })
+          .then(() =>
+            res.status(200).json({
+              message: `BookingReference with id: ${safeQuery.data.id} deleted`,
+            })
+          )
+          .catch((error: Error) =>
+            res.status(404).json({
+              message: `BookingReference with id: ${safeQuery.data.id} not found`,
+              error,
+            })
+          );
+        break;
 
-    case "DELETE":
-      await prisma.bookingReference
-        .delete({ where: { id: safeQuery.data.id } })
-        .then(() =>
-          res.status(200).json({ message: `BookingReference with id: ${safeQuery.data.id} deleted` })
-        )
-        .catch((error: Error) =>
-          res.status(404).json({ message: `BookingReference with id: ${safeQuery.data.id} not found`, error })
-        );
-      break;
-
-    default:
-      res.status(405).json({ message: "Method not allowed" });
-      break;
-  }
+      default:
+        res.status(405).json({ message: "Method not allowed" });
+        break;
+    }
+  } else res.status(401).json({ message: "Unauthorized" });
 }
 
 export default withMiddleware("HTTP_GET_DELETE_PATCH")(

pages/api/booking-references/index.ts

@@ -4,6 +4,7 @@ import prisma from "@calcom/prisma";
 
 import { withMiddleware } from "@lib/helpers/withMiddleware";
 import { BookingReferenceResponse, BookingReferencesResponse } from "@lib/types";
+import { getCalcomUserId } from "@lib/utils/getCalcomUserId";
 import {
   schemaBookingReferenceBodyParams,
   schemaBookingReferencePublic,
@@ -41,8 +42,16 @@ async function createOrlistAllBookingReferences(
   res: NextApiResponse<BookingReferencesResponse | BookingReferenceResponse>
 ) {
   const { method } = req;
+  const userId = await getCalcomUserId(res);
+  const userWithBookings = await prisma.user.findUnique({
+    where: { id: userId },
+    include: { bookings: true },
+  });
+  if (!userWithBookings) throw new Error("User not found");
+  const userBookingIds = userWithBookings.bookings.map((booking: any) => booking.id).flat();
+  console.log(userBookingIds);
   if (method === "GET") {
-    const data = await prisma.bookingReference.findMany();
+    const data = await prisma.bookingReference.findMany({ where: { id: { in: userBookingIds } } });
     const booking_references = data.map((bookingReference) =>
       schemaBookingReferencePublic.parse(bookingReference)
     );