From a5413b40abac79885f8e1ade219a29312e2df099 Mon Sep 17 00:00:00 2001
From: Joe Au-Yeung <j.auyeung419@gmail.com>
Date: Wed, 5 Oct 2022 11:04:58 -0400
Subject: [PATCH] Add ability to get, post, and delete for other users if admin

---
 lib/validations/schedule.ts | 10 ++++++++--
 pages/api/schedules/[id].ts | 10 +++++++---
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/lib/validations/schedule.ts b/lib/validations/schedule.ts
index e477087055..4e8e983094 100644
--- a/lib/validations/schedule.ts
+++ b/lib/validations/schedule.ts
@@ -5,10 +5,16 @@ import { _ScheduleModel as Schedule } from "@calcom/prisma/zod";
 const schemaScheduleBaseBodyParams = Schedule.omit({ id: true }).partial();
 
 const schemaScheduleRequiredParams = z.object({
-  userId: z.number().optional(),
   name: z.string(),
 });
 
 export const schemaScheduleBodyParams = schemaScheduleBaseBodyParams.merge(schemaScheduleRequiredParams);
 
-export const schemaSchedulePublic = Schedule.omit({});
+export const schemaSchedulePublic = z
+  .object({ id: z.number() })
+  .merge(Schedule)
+  .merge(
+    z.object({
+      availability: z.array(z.object({ id: z.number() })).optional(),
+    })
+  );
diff --git a/pages/api/schedules/[id].ts b/pages/api/schedules/[id].ts
index 593f9d7846..834a7138e2 100644
--- a/pages/api/schedules/[id].ts
+++ b/pages/api/schedules/[id].ts
@@ -9,16 +9,17 @@ import {
 } from "@lib/validations/shared/queryIdTransformParseInt";
 
 export async function scheduleById(
-  { method, query, body, userId, prisma }: NextApiRequest,
+  { method, query, body, userId, isAdmin, prisma }: NextApiRequest,
   res: NextApiResponse<ScheduleResponse>
 ) {
+  if (body.userId && !isAdmin) res.status(401).json({ message: "Unauthorized" });
   const safeQuery = schemaQueryIdParseInt.safeParse(query);
   const safeBody = schemaScheduleBodyParams.safeParse(body);
   if (!safeQuery.success) {
     res.status(400).json({ message: "Your query was invalid" });
     return;
   }
-  const userSchedules = await prisma.schedule.findMany({ where: { userId } });
+  const userSchedules = await prisma.schedule.findMany({ where: { userId: body.userId || userId } });
   const userScheduleIds = userSchedules.map((schedule) => schedule.id);
   if (!userScheduleIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
   else {
@@ -48,7 +49,10 @@ export async function scheduleById(
        */
       case "GET":
         await prisma.schedule
-          .findUnique({ where: { id: safeQuery.data.id } })
+          .findUnique({
+            where: { id: safeQuery.data.id },
+            include: { availability: { select: { id: true } } },
+          })
           .then((data) => schemaSchedulePublic.parse(data))
           .then((schedule) => res.status(200).json({ schedule }))
           .catch((error: Error) =>