From b0c0e9fb4cb74bf37bd5c748a621df2339ab05db Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Thu, 21 Apr 2022 00:55:22 +0200 Subject: [PATCH] feat: memberships hardened mode --- pages/api/memberships/[id].ts | 113 +++++++++++++++++++++------------ pages/api/memberships/index.ts | 6 +- 2 files changed, 78 insertions(+), 41 deletions(-) diff --git a/pages/api/memberships/[id].ts b/pages/api/memberships/[id].ts index 2fbb14bcdb..df62f89107 100644 --- a/pages/api/memberships/[id].ts +++ b/pages/api/memberships/[id].ts @@ -4,6 +4,7 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import type { MembershipResponse } from "@lib/types"; +import { getCalcomUserId } from "@lib/utils/getCalcomUserId"; import { schemaMembershipBodyParams, schemaMembershipPublic } from "@lib/validations/membership"; import { schemaQueryIdAsString, withValidQueryIdString } from "@lib/validations/shared/queryIdString"; @@ -106,48 +107,82 @@ export async function membershipById(req: NextApiRequest, res: NextApiResponse schemaMembershipPublic.parse(data)) + .then((membership) => res.status(200).json({ membership })) + .catch((error: Error) => + res.status(404).json({ + message: `Membership with id: ${safeQuery.data.id} not found`, + error, + }) + ); + break; - switch (method) { - case "GET": - await prisma.membership - .findUnique({ where: { userId_teamId: { userId: parseInt(userId), teamId: parseInt(teamId) } } }) - .then((data) => schemaMembershipPublic.parse(data)) - .then((membership) => res.status(200).json({ membership })) - .catch((error: Error) => - res.status(404).json({ message: `Membership with id: ${safeQuery.data.id} not found`, error }) - ); - break; + case "PATCH": + if (!safeBody.success) { + throw new Error("Invalid request body"); + } + await prisma.membership + .update({ + where: { + userId_teamId: { + userId: userId, + teamId: parseInt(teamId), + }, + }, + data: safeBody.data, + }) + .then((data) => schemaMembershipPublic.parse(data)) + .then((membership) => res.status(200).json({ membership })) + .catch((error: Error) => + res.status(404).json({ + message: `Membership with id: ${safeQuery.data.id} not found`, + error, + }) + ); + break; - case "PATCH": - if (!safeBody.success) throw new Error("Invalid request body"); - await prisma.membership - .update({ - where: { userId_teamId: { userId: parseInt(userId), teamId: parseInt(teamId) } }, - data: safeBody.data, - }) - .then((data) => schemaMembershipPublic.parse(data)) - .then((membership) => res.status(200).json({ membership })) - .catch((error: Error) => - res.status(404).json({ message: `Membership with id: ${safeQuery.data.id} not found`, error }) - ); - break; + case "DELETE": + await prisma.membership + .delete({ + where: { + userId_teamId: { + userId: userId, + teamId: parseInt(teamId), + }, + }, + }) + .then(() => + res.status(200).json({ + message: `Membership with id: ${safeQuery.data.id} deleted successfully`, + }) + ) + .catch((error: Error) => + res.status(404).json({ + message: `Membership with id: ${safeQuery.data.id} not found`, + error, + }) + ); + break; - case "DELETE": - await prisma.membership - .delete({ where: { userId_teamId: { userId: parseInt(userId), teamId: parseInt(teamId) } } }) - .then(() => - res.status(200).json({ message: `Membership with id: ${safeQuery.data.id} deleted successfully` }) - ) - .catch((error: Error) => - res.status(404).json({ message: `Membership with id: ${safeQuery.data.id} not found`, error }) - ); - break; - - default: - res.status(405).json({ message: "Method not allowed" }); - break; - } + default: + res.status(405).json({ message: "Method not allowed" }); + break; + } + } else res.status(401).json({ message: "Unauthorized" }); } export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdString(membershipById)); diff --git a/pages/api/memberships/index.ts b/pages/api/memberships/index.ts index 85c2ddced1..a7a109da2d 100644 --- a/pages/api/memberships/index.ts +++ b/pages/api/memberships/index.ts @@ -4,6 +4,7 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { MembershipResponse, MembershipsResponse } from "@lib/types"; +import { getCalcomUserId } from "@lib/utils/getCalcomUserId"; import { schemaMembershipBodyParams, schemaMembershipPublic } from "@lib/validations/membership"; /** @@ -42,8 +43,9 @@ async function createOrlistAllMemberships( res: NextApiResponse ) { const { method } = req; + const userId = getCalcomUserId(res); if (method === "GET") { - const data = await prisma.membership.findMany(); + const data = await prisma.membership.findMany({ where: { userId } }); const memberships = data.map((membership) => schemaMembershipPublic.parse(membership)); if (memberships) res.status(200).json({ memberships }); else @@ -56,7 +58,7 @@ async function createOrlistAllMemberships( const safe = schemaMembershipBodyParams.safeParse(req.body); if (!safe.success) throw new Error("Invalid request body"); - const data = await prisma.membership.create({ data: safe.data }); + const data = await prisma.membership.create({ data: { ...safe.data, userId } }); const membership = schemaMembershipPublic.parse(data); if (membership) res.status(201).json({ membership, message: "Membership created successfully" });