diff --git a/apps/web/server/routers/viewer/eventTypes.tsx b/apps/web/server/routers/viewer/eventTypes.tsx index 13f38372ff..48c3d04de4 100644 --- a/apps/web/server/routers/viewer/eventTypes.tsx +++ b/apps/web/server/routers/viewer/eventTypes.tsx @@ -193,6 +193,21 @@ export const eventTypesRouter = createProtectedRouter() throw new TRPCError({ code: "UNAUTHORIZED" }); } + const inputUsers = (rawInput as any).users || []; + + const isAllowed = (function () { + if (event.team) { + const allTeamMembers = event.team.members.map((member) => member.userId); + return inputUsers.every((userId: string) => allTeamMembers.includes(Number.parseInt(userId))); + } + return inputUsers.every((userId: string) => Number.parseInt(userId) === ctx.user.id); + })(); + + if (!isAllowed) { + console.warn(`User ${ctx.user.id} attempted to an create an event for users ${inputUsers.join(", ")}.`); + throw new TRPCError({ code: "FORBIDDEN" }); + } + return next(); }) .mutation("update", {