From cd03f5a821e4271df3291b4f1603d1574de9f269 Mon Sep 17 00:00:00 2001
From: Syed Ali Shahbaz <52925846+alishaz-polymath@users.noreply.github.com>
Date: Wed, 8 Jun 2022 13:06:28 +0530
Subject: [PATCH 1/2] Adds team event type check

---
 pages/api/hooks/[id].ts | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/pages/api/hooks/[id].ts b/pages/api/hooks/[id].ts
index 32a81e7b12..3a14efa592 100644
--- a/pages/api/hooks/[id].ts
+++ b/pages/api/hooks/[id].ts
@@ -95,6 +95,27 @@ export async function WebhookById(
             return;
           }
         }
+        if (safeBody.data.eventTypeId) {
+          const team = await ctx.prisma.team.findFirst({
+            where: {
+              eventTypes: {
+                some: {
+                  id: safeBody.data.eventTypeId,
+                },
+              },
+            },
+            include: {
+              members: true,
+            },
+          });
+
+          // Team should be available and the user should be a member of the team
+          if (!team?.members.some((membership) => membership.userId === userId)) {
+            throw new TRPCError({
+              code: "UNAUTHORIZED",
+            });
+          }
+        }
         await prisma.webhook
           .update({ where: { id: safeQuery.data.id }, data: safeBody.data })
           .then((data) => schemaWebhookReadPublic.parse(data))

From bae84f2ce4e7daa9fcc3c8984a18997946cdab20 Mon Sep 17 00:00:00 2001
From: Syed Ali Shahbaz <52925846+alishaz-polymath@users.noreply.github.com>
Date: Wed, 8 Jun 2022 13:12:05 +0530
Subject: [PATCH 2/2] Added team event check to POST

---
 pages/api/hooks/index.ts | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/pages/api/hooks/index.ts b/pages/api/hooks/index.ts
index 422a30e419..e92a681080 100644
--- a/pages/api/hooks/index.ts
+++ b/pages/api/hooks/index.ts
@@ -61,6 +61,27 @@ async function createOrlistAllWebhooks(
       res.status(400).json({ message: "Invalid request body" });
       return;
     }
+    if (safe.data.eventTypeId) {
+      const team = await ctx.prisma.team.findFirst({
+        where: {
+          eventTypes: {
+            some: {
+              id: safe.data.eventTypeId,
+            },
+          },
+        },
+        include: {
+          members: true,
+        },
+      });
+
+      // Team should be available and the user should be a member of the team
+      if (!team?.members.some((membership) => membership.userId === userId)) {
+        throw new TRPCError({
+          code: "UNAUTHORIZED",
+        });
+      }
+    }
     const data = await prisma.webhook.create({ data: { id: uuidv4(), ...safe.data, userId } });
     if (data) res.status(201).json({ webhook: data, message: "Webhook created successfully" });
     else