From aadde45bb7da48ea99865df92f976432f79b8c67 Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Sat, 4 Jun 2022 01:17:01 +0200 Subject: [PATCH 1/8] fix: add event-types admin endpoints --- pages/api/event-types/index.ts | 58 +++++++++++++++++++--------------- 1 file changed, 33 insertions(+), 25 deletions(-) diff --git a/pages/api/event-types/index.ts b/pages/api/event-types/index.ts index 0e2467692f..bfe8c3e7ee 100644 --- a/pages/api/event-types/index.ts +++ b/pages/api/event-types/index.ts @@ -4,12 +4,14 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { EventTypeResponse, EventTypesResponse } from "@lib/types"; +import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaEventTypeCreateBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type"; async function createOrlistAllEventTypes( { method, body, userId }: NextApiRequest, res: NextApiResponse ) { + const isAdmin = await isAdminGuard(userId); if (method === "GET") { /** * @swagger @@ -29,20 +31,27 @@ async function createOrlistAllEventTypes( * 404: * description: No event types were found */ - const data = await prisma.user - .findUnique({ - where: { id: userId }, - rejectOnNotFound: true, - select: { eventTypes: true }, - }) - .catch((error) => res.status(404).json({ message: "No event types were found", error })); - if (data) res.status(200).json({ event_types: data.eventTypes }); - else - (error: Error) => - res.status(404).json({ - message: "No EventTypes were found", - error, - }); + if (!isAdmin) { + const data = await prisma.user + .findUnique({ + where: { id: userId }, + rejectOnNotFound: true, + select: { eventTypes: true }, + }) + .catch((error) => res.status(404).json({ message: "No event types were found", error })); + // @todo: add validations back schemaReadEventType.parse + if (data) res.status(200).json({ event_types: data.eventTypes }); + else + (error: Error) => + res.status(404).json({ + message: "No EventTypes were found", + error, + }); + } else { + const data = await prisma.eventType.findMany({}); + const event_types = data.map((eventType) => schemaEventTypeReadPublic.parse(eventType)); + if (event_types) res.status(200).json({ event_types }); + } } else if (method === "POST") { /** * @swagger @@ -92,17 +101,16 @@ async function createOrlistAllEventTypes( res.status(400).json({ message: "Invalid request body", error: safe.error }); return; } - - const data = await prisma.eventType.create({ data: { ...safe.data, userId } }); - const event_type = schemaEventTypeReadPublic.parse(data); - - if (data) res.status(201).json({ event_type, message: "EventType created successfully" }); - else - (error: Error) => - res.status(400).json({ - message: "Could not create new event type", - error, - }); + if (!isAdmin) { + const data = await prisma.eventType.create({ data: { ...safe.data, userId } }); + const event_type = schemaEventTypeReadPublic.parse(data); + if (data) res.status(201).json({ event_type, message: "EventType created successfully" }); + } else { + // if admin don't re-set userId from input + const data = await prisma.eventType.create({ data: { ...safe.data } }); + const event_type = schemaEventTypeReadPublic.parse(data); + if (data) res.status(201).json({ event_type, message: "EventType created successfully" }); + } } else res.status(405).json({ message: `Method ${method} not allowed` }); } From 514a98f9e042a79169252d227373e9dcd1d72d35 Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Sat, 4 Jun 2022 01:32:05 +0200 Subject: [PATCH 2/8] feat: add admin endpoint support for event-types id --- pages/api/event-types/[id].ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pages/api/event-types/[id].ts b/pages/api/event-types/[id].ts index 20ad84d776..81cefb3ab7 100644 --- a/pages/api/event-types/[id].ts +++ b/pages/api/event-types/[id].ts @@ -4,6 +4,7 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import type { EventTypeResponse } from "@lib/types"; +import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaEventTypeEditBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type"; import { schemaQueryIdParseInt, @@ -14,19 +15,21 @@ export async function eventTypeById( { method, query, body, userId }: NextApiRequest, res: NextApiResponse ) { + const isAdmin = await isAdminGuard(userId); const safeQuery = schemaQueryIdParseInt.safeParse(query); if (!safeQuery.success) { res.status(400).json({ message: "Your query was invalid" }); return; } - const data = await await prisma.user.findUnique({ + const data = await prisma.user.findUnique({ where: { id: userId }, rejectOnNotFound: true, select: { eventTypes: true }, }); const userEventTypes = data.eventTypes.map((eventType) => eventType.id); - if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); + if (!isAdmin || !userEventTypes.includes(safeQuery.data.id)) + res.status(401).json({ message: "Unauthorized" }); else { switch (method) { /** From d8d0d42374fff2c5cbe03182967a60f8a1841a9b Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Sat, 4 Jun 2022 02:26:16 +0200 Subject: [PATCH 3/8] fix: only check event type ownership if not admin --- pages/api/event-types/[id].ts | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/pages/api/event-types/[id].ts b/pages/api/event-types/[id].ts index 81cefb3ab7..19435a0bc6 100644 --- a/pages/api/event-types/[id].ts +++ b/pages/api/event-types/[id].ts @@ -27,10 +27,9 @@ export async function eventTypeById( select: { eventTypes: true }, }); const userEventTypes = data.eventTypes.map((eventType) => eventType.id); - - if (!isAdmin || !userEventTypes.includes(safeQuery.data.id)) - res.status(401).json({ message: "Unauthorized" }); - else { + if (!isAdmin) { + if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); + } else { switch (method) { /** * @swagger From dd94df8c97be8eb550f356c3cdce5080030fb7f9 Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Wed, 15 Jun 2022 22:59:26 +0200 Subject: [PATCH 4/8] merging main to prod fixing conflicts in users --- lib/helpers/verifyApiKey.ts | 6 ++ lib/validations/booking.ts | 1 - pages/api/attendees/[id].ts | 10 +- pages/api/attendees/index.ts | 79 +++++++++----- pages/api/bookings/index.ts | 2 +- pages/api/event-types/[id].ts | 4 +- pages/api/event-types/index.ts | 4 +- pages/api/users/[id].ts | 184 +++++++++++++++++++++++++++++++++ 8 files changed, 251 insertions(+), 39 deletions(-) create mode 100644 pages/api/users/[id].ts diff --git a/lib/helpers/verifyApiKey.ts b/lib/helpers/verifyApiKey.ts index 481b006849..08c0216737 100644 --- a/lib/helpers/verifyApiKey.ts +++ b/lib/helpers/verifyApiKey.ts @@ -4,12 +4,15 @@ import { NextMiddleware } from "next-api-middleware"; import { hashAPIKey } from "@calcom/ee/lib/api/apiKeys"; import prisma from "@calcom/prisma"; +import { isAdminGuard } from "@lib/utils/isAdmin"; + /** @todo figure how to use the one from `@calcom/types`fi */ /** @todo: remove once `@calcom/types` is updated with it.*/ declare module "next" { export interface NextApiRequest extends IncomingMessage { userId: number; method: string; + isAdmin: boolean; query: { [key: string]: string | string[] }; // eslint-disable-next-line @typescript-eslint/no-explicit-any session: any; @@ -41,5 +44,8 @@ export const verifyApiKey: NextMiddleware = async (req, res, next) => { if (!apiKey.userId) return res.status(404).json({ error: "No user found for this apiKey" }); /* We save the user id in the request for later use */ req.userId = apiKey.userId; + /* We save the isAdmin boolean here for later use */ + req.isAdmin = await isAdminGuard(req.userId); + await next(); }; diff --git a/lib/validations/booking.ts b/lib/validations/booking.ts index b61d6913fd..a8a4b52c37 100644 --- a/lib/validations/booking.ts +++ b/lib/validations/booking.ts @@ -24,7 +24,6 @@ export const schemaBookingCreateBodyParams = schemaBookingBaseBodyParams.merge(s const schemaBookingEditParams = z .object({ - uid: z.string().optional(), title: z.string().optional(), startTime: z.date().optional(), endTime: z.date().optional(), diff --git a/pages/api/attendees/[id].ts b/pages/api/attendees/[id].ts index a1674d87a4..a72dbf5812 100644 --- a/pages/api/attendees/[id].ts +++ b/pages/api/attendees/[id].ts @@ -11,7 +11,7 @@ import { } from "@lib/validations/shared/queryIdTransformParseInt"; export async function attendeeById( - { method, query, body, userId }: NextApiRequest, + { method, query, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { const safeQuery = schemaQueryIdParseInt.safeParse(query); @@ -33,9 +33,11 @@ export async function attendeeById( .flat() .map((attendee) => attendee.id) ); - // @note: Here we make sure to only return attendee's of the user's own bookings. - if (!userBookingsAttendeeIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); - else { + // @note: Here we make sure to only return attendee's of the user's own bookings if the user is not an admin. + if (!isAdmin) { + if (!userBookingsAttendeeIds.includes(safeQuery.data.id)) + res.status(401).json({ message: "Unauthorized" }); + } else { switch (method) { /** * @swagger diff --git a/pages/api/attendees/index.ts b/pages/api/attendees/index.ts index eaae0b28ff..6b2c4fc415 100644 --- a/pages/api/attendees/index.ts +++ b/pages/api/attendees/index.ts @@ -1,24 +1,30 @@ import type { NextApiRequest, NextApiResponse } from "next"; -import db from "@calcom/prisma"; +import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { AttendeeResponse, AttendeesResponse } from "@lib/types"; import { schemaAttendeeCreateBodyParams, schemaAttendeeReadPublic } from "@lib/validations/attendee"; async function createOrlistAllAttendees( - { method, userId, body }: NextApiRequest, + { method, userId, body, isAdmin }: NextApiRequest, res: NextApiResponse ) { - const userBookings = await db.booking.findMany({ - where: { - userId, - }, - include: { - attendees: true, - }, - }); - const attendees = userBookings.map((booking) => booking.attendees).flat(); + let attendees; + if (!isAdmin) { + const userBookings = await prisma.booking.findMany({ + where: { + userId, + }, + include: { + attendees: true, + }, + }); + attendees = userBookings.map((booking) => booking.attendees).flat(); + } else { + const data = await prisma.attendee.findMany(); + attendees = data.map((attendee) => schemaAttendeeReadPublic.parse(attendee)); + } if (method === "GET") { /** * @swagger @@ -37,12 +43,7 @@ async function createOrlistAllAttendees( * description: No attendees were found */ if (attendees) res.status(200).json({ attendees }); - else - (error: Error) => - res.status(404).json({ - message: "No Attendees were found", - error, - }); + else (error: Error) => res.status(400).json({ error }); } else if (method === "POST") { /** * @swagger @@ -90,16 +91,40 @@ async function createOrlistAllAttendees( res.status(400).json({ message: "Invalid request body", error: safePost.error }); return; } - const userWithBookings = await db.user.findUnique({ where: { id: userId }, include: { bookings: true } }); - if (!userWithBookings) { - res.status(404).json({ message: "User not found" }); - return; - } - const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat(); - // Here we make sure to only return attendee's of the user's own bookings. - if (!userBookingIds.includes(safePost.data.bookingId)) res.status(401).json({ message: "Unauthorized" }); - else { - const data = await db.attendee.create({ + if (!isAdmin) { + const userWithBookings = await prisma.user.findUnique({ + where: { id: userId }, + include: { bookings: true }, + }); + if (!userWithBookings) { + res.status(404).json({ message: "User not found" }); + return; + } + const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat(); + // Here we make sure to only return attendee's of the user's own bookings. + if (!userBookingIds.includes(safePost.data.bookingId)) + res.status(401).json({ message: "Unauthorized" }); + else { + const data = await prisma.attendee.create({ + data: { + email: safePost.data.email, + name: safePost.data.name, + timeZone: safePost.data.timeZone, + booking: { connect: { id: safePost.data.bookingId } }, + }, + }); + const attendee = schemaAttendeeReadPublic.parse(data); + + if (attendee) { + res.status(201).json({ + attendee, + message: "Attendee created successfully", + }); + } else (error: Error) => res.status(400).json({ error }); + } + } else { + // @todo: check real availability times before booking + const data = await prisma.attendee.create({ data: { email: safePost.data.email, name: safePost.data.name, diff --git a/pages/api/bookings/index.ts b/pages/api/bookings/index.ts index ab85b339cd..47d9b80da3 100644 --- a/pages/api/bookings/index.ts +++ b/pages/api/bookings/index.ts @@ -12,7 +12,7 @@ import { schemaBookingCreateBodyParams, schemaBookingReadPublic } from "@lib/val import { schemaEventTypeReadPublic } from "@lib/validations/event-type"; async function createOrlistAllBookings( - { method, body, userId }: NextApiRequest, + { method, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { console.log("userIduserId", userId); diff --git a/pages/api/event-types/[id].ts b/pages/api/event-types/[id].ts index 19435a0bc6..013f9909be 100644 --- a/pages/api/event-types/[id].ts +++ b/pages/api/event-types/[id].ts @@ -4,7 +4,6 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import type { EventTypeResponse } from "@lib/types"; -import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaEventTypeEditBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type"; import { schemaQueryIdParseInt, @@ -12,10 +11,9 @@ import { } from "@lib/validations/shared/queryIdTransformParseInt"; export async function eventTypeById( - { method, query, body, userId }: NextApiRequest, + { method, query, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { - const isAdmin = await isAdminGuard(userId); const safeQuery = schemaQueryIdParseInt.safeParse(query); if (!safeQuery.success) { res.status(400).json({ message: "Your query was invalid" }); diff --git a/pages/api/event-types/index.ts b/pages/api/event-types/index.ts index bfe8c3e7ee..dc6844e039 100644 --- a/pages/api/event-types/index.ts +++ b/pages/api/event-types/index.ts @@ -4,14 +4,12 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import { EventTypeResponse, EventTypesResponse } from "@lib/types"; -import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaEventTypeCreateBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type"; async function createOrlistAllEventTypes( - { method, body, userId }: NextApiRequest, + { method, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { - const isAdmin = await isAdminGuard(userId); if (method === "GET") { /** * @swagger diff --git a/pages/api/users/[id].ts b/pages/api/users/[id].ts new file mode 100644 index 0000000000..bf70a7a785 --- /dev/null +++ b/pages/api/users/[id].ts @@ -0,0 +1,184 @@ +import type { NextApiRequest, NextApiResponse } from "next"; + +import prisma from "@calcom/prisma"; + +import { withMiddleware } from "@lib/helpers/withMiddleware"; +import type { UserResponse } from "@lib/types"; +import { + schemaQueryIdParseInt, + withValidQueryIdTransformParseInt, +} from "@lib/validations/shared/queryIdTransformParseInt"; +import { schemaUserEditBodyParams, schemaUserReadPublic } from "@lib/validations/user"; + +export async function userById( + { method, query, body, userId, isAdmin }: NextApiRequest, + res: NextApiResponse +) { + const safeQuery = schemaQueryIdParseInt.safeParse(query); + console.log(body); + if (!safeQuery.success) { + res.status(400).json({ message: "Your query was invalid" }); + return; + } + // Here we only check for ownership of the user if the user is not admin, otherwise we let ADMIN's edit any user + if (!isAdmin) { + if (safeQuery.data.id !== userId) res.status(401).json({ message: "Unauthorized" }); + } else { + switch (method) { + case "GET": + /** + * @swagger + * /users/{id}: + * get: + * summary: Find a user, returns your user if regular user. + * operationId: getUserById + * parameters: + * - in: path + * name: id + * example: 4 + * schema: + * type: integer + * required: true + * description: ID of the user to get + * tags: + * - users + * responses: + * 200: + * description: OK + * 401: + * description: Authorization information is missing or invalid. + * 404: + * description: User was not found + */ + + await prisma.user + .findUnique({ where: { id: safeQuery.data.id } }) + .then((data) => schemaUserReadPublic.parse(data)) + .then((user) => res.status(200).json({ user })) + .catch((error: Error) => + res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error }) + ); + break; + case "PATCH": + /** + * @swagger + * /users/{id}: + * patch: + * summary: Edit an existing user + * operationId: editUserById + * requestBody: + * description: Edit an existing attendee related to one of your bookings + * required: true + * content: + * application/json: + * schema: + * type: object + * properties: + * weekStart: + * type: string + * enum: [Monday, Sunday, Saturday] + * example: Monday + * brandColor: + * type: string + * example: "#FF000F" + * darkBrandColor: + * type: string + * example: "#000000" + * timeZone: + * type: string + * example: Europe/London + * parameters: + * - in: path + * name: id + * example: 4 + * schema: + * type: integer + * required: true + * description: ID of the user to edit + * tags: + * - users + * responses: + * 201: + * description: OK, user edited successfuly + * 400: + * description: Bad request. User body is invalid. + * 401: + * description: Authorization information is missing or invalid. + */ + + const safeBody = schemaUserEditBodyParams.safeParse(body); + if (!safeBody.success) { + res.status(400).json({ message: "Bad request", error: safeBody.error }); + + return; + } + const userSchedules = await prisma.schedule.findMany({ + where: { userId }, + }); + const userSchedulesIds = userSchedules.map((schedule) => schedule.id); + // @note: here we make sure user can only make as default his own scheudles + if ( + safeBody?.data?.defaultScheduleId && + !userSchedulesIds.includes(Number(safeBody?.data?.defaultScheduleId)) + ) { + res.status(400).json({ + message: "Bad request: Invalid default schedule id", + }); + return; + } + await prisma.user + .update({ + where: { id: userId }, + data: safeBody.data, + }) + .then((data) => schemaUserReadPublic.parse(data)) + .then((user) => res.status(200).json({ user })) + .catch((error: Error) => + res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error }) + ); + break; + + /** + * @swagger + * /users/{id}: + * delete: + * summary: Remove an existing user + * operationId: removeUserById + * parameters: + * - in: path + * name: id + * example: 1 + * schema: + * type: integer + * required: true + * description: ID of the user to delete + * tags: + * - users + * responses: + * 201: + * description: OK, user removed successfuly + * 400: + * description: Bad request. User id is invalid. + * 401: + * description: Authorization information is missing or invalid. + */ + + case "DELETE": + await prisma.user + .delete({ where: { id: safeQuery.data.id } }) + .then(() => + res.status(200).json({ message: `User with id: ${safeQuery.data.id} deleted successfully` }) + ) + .catch((error: Error) => + res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error }) + ); + break; + + default: + res.status(405).json({ message: "Method not allowed" }); + break; + } + } +} + +export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(userById)); From 6349491ae7d711a9134c66e4e17f92fab96cbe3f Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Wed, 15 Jun 2022 21:10:19 +0200 Subject: [PATCH 5/8] feat: admin endpoints for bookings --- lib/validations/booking.ts | 1 - pages/api/bookings/[id].ts | 8 +++++--- pages/api/bookings/index.ts | 37 ++++++++++++++++++++++++++----------- 3 files changed, 31 insertions(+), 15 deletions(-) diff --git a/lib/validations/booking.ts b/lib/validations/booking.ts index a8a4b52c37..a7a8eab730 100644 --- a/lib/validations/booking.ts +++ b/lib/validations/booking.ts @@ -3,7 +3,6 @@ import { z } from "zod"; import { _BookingModel as Booking } from "@calcom/prisma/zod"; const schemaBookingBaseBodyParams = Booking.pick({ - uid: true, userId: true, eventTypeId: true, title: true, diff --git a/pages/api/bookings/[id].ts b/pages/api/bookings/[id].ts index 7e17c9613a..8603af73c8 100644 --- a/pages/api/bookings/[id].ts +++ b/pages/api/bookings/[id].ts @@ -11,7 +11,7 @@ import { } from "@lib/validations/shared/queryIdTransformParseInt"; export async function bookingById( - { method, query, body, userId }: NextApiRequest, + { method, query, body, userId, isAdmin }: NextApiRequest, res: NextApiResponse ) { const safeQuery = schemaQueryIdParseInt.safeParse(query); @@ -25,8 +25,10 @@ export async function bookingById( }); if (!userWithBookings) throw new Error("User not found"); const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat(); - if (!userBookingIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); - else { + + if (!isAdmin) { + if (!userBookingIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" }); + } else { switch (method) { /** * @swagger diff --git a/pages/api/bookings/index.ts b/pages/api/bookings/index.ts index 47d9b80da3..560bca7b8e 100644 --- a/pages/api/bookings/index.ts +++ b/pages/api/bookings/index.ts @@ -33,16 +33,29 @@ async function createOrlistAllBookings( * 404: * description: No bookings were found */ - const data = await prisma.booking.findMany({ where: { userId } }); - const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking)); - console.log(`Bookings requested by ${userId}`); - if (bookings) res.status(200).json({ bookings }); - else - (error: Error) => - res.status(404).json({ - message: "No Bookings were found", - error, - }); + if (!isAdmin) { + const data = await prisma.booking.findMany({ where: { userId } }); + const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking)); + if (bookings) res.status(200).json({ bookings }); + else { + (error: Error) => + res.status(404).json({ + message: "No Bookings were found", + error, + }); + } + } else { + const data = await prisma.booking.findMany(); + const bookings = data.map((booking) => schemaBookingReadPublic.parse(booking)); + if (bookings) res.status(200).json({ bookings }); + else { + (error: Error) => + res.status(404).json({ + message: "No Bookings were found", + error, + }); + } + } } else if (method === "POST") { /** * @swagger @@ -83,7 +96,9 @@ async function createOrlistAllBookings( res.status(400).json({ message: "Bad request. Booking body is invalid." }); return; } - safe.data.userId = userId; + if (!isAdmin) { + safe.data.userId = userId; + } const data = await prisma.booking.create({ data: { uid: uuidv4(), ...safe.data } }); const booking = schemaBookingReadPublic.parse(data); From fe53fd92486657f3a06dadfabded89856bf4beed Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Wed, 15 Jun 2022 21:14:35 +0200 Subject: [PATCH 6/8] fix: remove comment --- pages/api/attendees/index.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/pages/api/attendees/index.ts b/pages/api/attendees/index.ts index 6b2c4fc415..e4f3e54f79 100644 --- a/pages/api/attendees/index.ts +++ b/pages/api/attendees/index.ts @@ -123,7 +123,6 @@ async function createOrlistAllAttendees( } else (error: Error) => res.status(400).json({ error }); } } else { - // @todo: check real availability times before booking const data = await prisma.attendee.create({ data: { email: safePost.data.email, From 3310b9307de602198e2df64e8e56631ce553c794 Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Wed, 15 Jun 2022 21:16:46 +0200 Subject: [PATCH 7/8] fix: undo changes in users --- pages/api/users/[id].ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pages/api/users/[id].ts b/pages/api/users/[id].ts index bf70a7a785..65b864c652 100644 --- a/pages/api/users/[id].ts +++ b/pages/api/users/[id].ts @@ -4,6 +4,7 @@ import prisma from "@calcom/prisma"; import { withMiddleware } from "@lib/helpers/withMiddleware"; import type { UserResponse } from "@lib/types"; +import { isAdminGuard } from "@lib/utils/isAdmin"; import { schemaQueryIdParseInt, withValidQueryIdTransformParseInt, @@ -11,7 +12,7 @@ import { import { schemaUserEditBodyParams, schemaUserReadPublic } from "@lib/validations/user"; export async function userById( - { method, query, body, userId, isAdmin }: NextApiRequest, + { method, query, body, userId }: NextApiRequest, res: NextApiResponse ) { const safeQuery = schemaQueryIdParseInt.safeParse(query); @@ -20,6 +21,7 @@ export async function userById( res.status(400).json({ message: "Your query was invalid" }); return; } + const isAdmin = await isAdminGuard(userId); // Here we only check for ownership of the user if the user is not admin, otherwise we let ADMIN's edit any user if (!isAdmin) { if (safeQuery.data.id !== userId) res.status(401).json({ message: "Unauthorized" }); From 998970c4cbe527f3c875418bd680403fac826708 Mon Sep 17 00:00:00 2001 From: Agusti Fernandez Pardo Date: Wed, 15 Jun 2022 23:06:30 +0200 Subject: [PATCH 8/8] fix: remove duplicate users/id --- pages/api/users/[id].ts | 186 ---------------------------------------- 1 file changed, 186 deletions(-) delete mode 100644 pages/api/users/[id].ts diff --git a/pages/api/users/[id].ts b/pages/api/users/[id].ts deleted file mode 100644 index 65b864c652..0000000000 --- a/pages/api/users/[id].ts +++ /dev/null @@ -1,186 +0,0 @@ -import type { NextApiRequest, NextApiResponse } from "next"; - -import prisma from "@calcom/prisma"; - -import { withMiddleware } from "@lib/helpers/withMiddleware"; -import type { UserResponse } from "@lib/types"; -import { isAdminGuard } from "@lib/utils/isAdmin"; -import { - schemaQueryIdParseInt, - withValidQueryIdTransformParseInt, -} from "@lib/validations/shared/queryIdTransformParseInt"; -import { schemaUserEditBodyParams, schemaUserReadPublic } from "@lib/validations/user"; - -export async function userById( - { method, query, body, userId }: NextApiRequest, - res: NextApiResponse -) { - const safeQuery = schemaQueryIdParseInt.safeParse(query); - console.log(body); - if (!safeQuery.success) { - res.status(400).json({ message: "Your query was invalid" }); - return; - } - const isAdmin = await isAdminGuard(userId); - // Here we only check for ownership of the user if the user is not admin, otherwise we let ADMIN's edit any user - if (!isAdmin) { - if (safeQuery.data.id !== userId) res.status(401).json({ message: "Unauthorized" }); - } else { - switch (method) { - case "GET": - /** - * @swagger - * /users/{id}: - * get: - * summary: Find a user, returns your user if regular user. - * operationId: getUserById - * parameters: - * - in: path - * name: id - * example: 4 - * schema: - * type: integer - * required: true - * description: ID of the user to get - * tags: - * - users - * responses: - * 200: - * description: OK - * 401: - * description: Authorization information is missing or invalid. - * 404: - * description: User was not found - */ - - await prisma.user - .findUnique({ where: { id: safeQuery.data.id } }) - .then((data) => schemaUserReadPublic.parse(data)) - .then((user) => res.status(200).json({ user })) - .catch((error: Error) => - res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error }) - ); - break; - case "PATCH": - /** - * @swagger - * /users/{id}: - * patch: - * summary: Edit an existing user - * operationId: editUserById - * requestBody: - * description: Edit an existing attendee related to one of your bookings - * required: true - * content: - * application/json: - * schema: - * type: object - * properties: - * weekStart: - * type: string - * enum: [Monday, Sunday, Saturday] - * example: Monday - * brandColor: - * type: string - * example: "#FF000F" - * darkBrandColor: - * type: string - * example: "#000000" - * timeZone: - * type: string - * example: Europe/London - * parameters: - * - in: path - * name: id - * example: 4 - * schema: - * type: integer - * required: true - * description: ID of the user to edit - * tags: - * - users - * responses: - * 201: - * description: OK, user edited successfuly - * 400: - * description: Bad request. User body is invalid. - * 401: - * description: Authorization information is missing or invalid. - */ - - const safeBody = schemaUserEditBodyParams.safeParse(body); - if (!safeBody.success) { - res.status(400).json({ message: "Bad request", error: safeBody.error }); - - return; - } - const userSchedules = await prisma.schedule.findMany({ - where: { userId }, - }); - const userSchedulesIds = userSchedules.map((schedule) => schedule.id); - // @note: here we make sure user can only make as default his own scheudles - if ( - safeBody?.data?.defaultScheduleId && - !userSchedulesIds.includes(Number(safeBody?.data?.defaultScheduleId)) - ) { - res.status(400).json({ - message: "Bad request: Invalid default schedule id", - }); - return; - } - await prisma.user - .update({ - where: { id: userId }, - data: safeBody.data, - }) - .then((data) => schemaUserReadPublic.parse(data)) - .then((user) => res.status(200).json({ user })) - .catch((error: Error) => - res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error }) - ); - break; - - /** - * @swagger - * /users/{id}: - * delete: - * summary: Remove an existing user - * operationId: removeUserById - * parameters: - * - in: path - * name: id - * example: 1 - * schema: - * type: integer - * required: true - * description: ID of the user to delete - * tags: - * - users - * responses: - * 201: - * description: OK, user removed successfuly - * 400: - * description: Bad request. User id is invalid. - * 401: - * description: Authorization information is missing or invalid. - */ - - case "DELETE": - await prisma.user - .delete({ where: { id: safeQuery.data.id } }) - .then(() => - res.status(200).json({ message: `User with id: ${safeQuery.data.id} deleted successfully` }) - ) - .catch((error: Error) => - res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error }) - ); - break; - - default: - res.status(405).json({ message: "Method not allowed" }); - break; - } - } -} - -export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(userById));