Add ability to get, post, and delete for other users if admin

pull/9078/head
Joe Au-Yeung 2022-10-05 11:04:58 -04:00
parent 95fc04a453
commit a5413b40ab
2 changed files with 15 additions and 5 deletions

View File

@ -5,10 +5,16 @@ import { _ScheduleModel as Schedule } from "@calcom/prisma/zod";
const schemaScheduleBaseBodyParams = Schedule.omit({ id: true }).partial(); const schemaScheduleBaseBodyParams = Schedule.omit({ id: true }).partial();
const schemaScheduleRequiredParams = z.object({ const schemaScheduleRequiredParams = z.object({
userId: z.number().optional(),
name: z.string(), name: z.string(),
}); });
export const schemaScheduleBodyParams = schemaScheduleBaseBodyParams.merge(schemaScheduleRequiredParams); export const schemaScheduleBodyParams = schemaScheduleBaseBodyParams.merge(schemaScheduleRequiredParams);
export const schemaSchedulePublic = Schedule.omit({}); export const schemaSchedulePublic = z
.object({ id: z.number() })
.merge(Schedule)
.merge(
z.object({
availability: z.array(z.object({ id: z.number() })).optional(),
})
);

View File

@ -9,16 +9,17 @@ import {
} from "@lib/validations/shared/queryIdTransformParseInt"; } from "@lib/validations/shared/queryIdTransformParseInt";
export async function scheduleById( export async function scheduleById(
{ method, query, body, userId, prisma }: NextApiRequest, { method, query, body, userId, isAdmin, prisma }: NextApiRequest,
res: NextApiResponse<ScheduleResponse> res: NextApiResponse<ScheduleResponse>
) { ) {
if (body.userId && !isAdmin) res.status(401).json({ message: "Unauthorized" });
const safeQuery = schemaQueryIdParseInt.safeParse(query); const safeQuery = schemaQueryIdParseInt.safeParse(query);
const safeBody = schemaScheduleBodyParams.safeParse(body); const safeBody = schemaScheduleBodyParams.safeParse(body);
if (!safeQuery.success) { if (!safeQuery.success) {
res.status(400).json({ message: "Your query was invalid" }); res.status(400).json({ message: "Your query was invalid" });
return; return;
} }
const userSchedules = await prisma.schedule.findMany({ where: { userId } }); const userSchedules = await prisma.schedule.findMany({ where: { userId: body.userId || userId } });
const userScheduleIds = userSchedules.map((schedule) => schedule.id); const userScheduleIds = userSchedules.map((schedule) => schedule.id);
if (!userScheduleIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); if (!userScheduleIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
else { else {
@ -48,7 +49,10 @@ export async function scheduleById(
*/ */
case "GET": case "GET":
await prisma.schedule await prisma.schedule
.findUnique({ where: { id: safeQuery.data.id } }) .findUnique({
where: { id: safeQuery.data.id },
include: { availability: { select: { id: true } } },
})
.then((data) => schemaSchedulePublic.parse(data)) .then((data) => schemaSchedulePublic.parse(data))
.then((schedule) => res.status(200).json({ schedule })) .then((schedule) => res.status(200).json({ schedule }))
.catch((error: Error) => .catch((error: Error) =>