From 53d7e5714280d5bb5c6c14a10a3efaa8fb775fd5 Mon Sep 17 00:00:00 2001
From: Afzal Sayed <14029371+afzalsayed96@users.noreply.github.com>
Date: Mon, 25 Apr 2022 02:32:04 +0530
Subject: [PATCH] Fix update event type authorization (#2588)

---
 apps/web/server/routers/viewer/eventTypes.tsx | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/apps/web/server/routers/viewer/eventTypes.tsx b/apps/web/server/routers/viewer/eventTypes.tsx
index 13f38372ff..48c3d04de4 100644
--- a/apps/web/server/routers/viewer/eventTypes.tsx
+++ b/apps/web/server/routers/viewer/eventTypes.tsx
@@ -193,6 +193,21 @@ export const eventTypesRouter = createProtectedRouter()
       throw new TRPCError({ code: "UNAUTHORIZED" });
     }
 
+    const inputUsers = (rawInput as any).users || [];
+
+    const isAllowed = (function () {
+      if (event.team) {
+        const allTeamMembers = event.team.members.map((member) => member.userId);
+        return inputUsers.every((userId: string) => allTeamMembers.includes(Number.parseInt(userId)));
+      }
+      return inputUsers.every((userId: string) => Number.parseInt(userId) === ctx.user.id);
+    })();
+
+    if (!isAllowed) {
+      console.warn(`User ${ctx.user.id} attempted to an create an event for users ${inputUsers.join(", ")}.`);
+      throw new TRPCError({ code: "FORBIDDEN" });
+    }
+
     return next();
   })
   .mutation("update", {