From a5eb3fce28ad1219f671777086e10500cff81243 Mon Sep 17 00:00:00 2001
From: Alex van Andel <me@alexvanandel.com>
Date: Fri, 29 Oct 2021 01:50:52 +0100
Subject: [PATCH] Allow confirming COLLECTIVE types (#1069)

---
 pages/api/book/confirm.ts | 45 +++++++++++++++++++++++++++++++++++----
 1 file changed, 41 insertions(+), 4 deletions(-)

diff --git a/pages/api/book/confirm.ts b/pages/api/book/confirm.ts
index 6c0eea15ec..d7440d1df0 100644
--- a/pages/api/book/confirm.ts
+++ b/pages/api/book/confirm.ts
@@ -1,3 +1,4 @@
+import { User, Booking, SchedulingType } from "@prisma/client";
 import type { NextApiRequest, NextApiResponse } from "next";
 
 import { refund } from "@ee/lib/stripe/server";
@@ -11,6 +12,32 @@ import { BookingConfirmBody } from "@lib/types/booking";
 
 import { getTranslation } from "@server/lib/i18n";
 
+const authorized = async (
+  currentUser: Pick<User, "id">,
+  booking: Pick<Booking, "eventTypeId" | "userId">
+) => {
+  // if the organizer
+  if (booking.userId === currentUser.id) {
+    return true;
+  }
+  const eventType = await prisma.eventType.findUnique({
+    where: {
+      id: booking.eventTypeId || undefined,
+    },
+    select: {
+      schedulingType: true,
+      users: true,
+    },
+  });
+  if (
+    eventType?.schedulingType === SchedulingType.COLLECTIVE &&
+    eventType.users.find((user) => user.id === currentUser.id)
+  ) {
+    return true;
+  }
+  return false;
+};
+
 export default async function handler(req: NextApiRequest, res: NextApiResponse): Promise<void> {
   const t = await getTranslation(req.body.language ?? "en", "common");
 
@@ -55,6 +82,7 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
         endTime: true,
         confirmed: true,
         attendees: true,
+        eventTypeId: true,
         location: true,
         userId: true,
         id: true,
@@ -63,9 +91,14 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
       },
     });
 
-    if (!booking || booking.userId !== currentUser.id) {
+    if (!booking) {
       return res.status(404).json({ message: "booking not found" });
     }
+
+    if (!(await authorized(currentUser, booking))) {
+      return res.status(401).end();
+    }
+
     if (booking.confirmed) {
       return res.status(400).json({ message: "booking already confirmed" });
     }
@@ -76,7 +109,11 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
       description: booking.description,
       startTime: booking.startTime.toISOString(),
       endTime: booking.endTime.toISOString(),
-      organizer: { email: currentUser.email, name: currentUser.name!, timeZone: currentUser.timeZone },
+      organizer: {
+        email: currentUser.email,
+        name: currentUser.name || "Unnamed",
+        timeZone: currentUser.timeZone,
+      },
       attendees: booking.attendees,
       location: booking.location ?? "",
       uid: booking.uid,
@@ -99,7 +136,7 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
         },
       });
 
-      res.status(204).json({ message: "ok" });
+      res.status(204).end();
     } else {
       await refund(booking, evt);
 
@@ -114,7 +151,7 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
       const attendeeMail = new EventRejectionMail(evt);
       await attendeeMail.sendEmail();
 
-      res.status(204).json({ message: "ok" });
+      res.status(204).end();
     }
   }
 }