Merge pull request #109 from calcom/fix/webhook-eventtype-assoc-security
Webhook event type association securitypull/9078/head
commit
cabafbdd77
|
@ -95,6 +95,27 @@ export async function WebhookById(
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if (safeBody.data.eventTypeId) {
|
||||||
|
const team = await ctx.prisma.team.findFirst({
|
||||||
|
where: {
|
||||||
|
eventTypes: {
|
||||||
|
some: {
|
||||||
|
id: safeBody.data.eventTypeId,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
include: {
|
||||||
|
members: true,
|
||||||
|
},
|
||||||
|
});
|
||||||
|
|
||||||
|
// Team should be available and the user should be a member of the team
|
||||||
|
if (!team?.members.some((membership) => membership.userId === userId)) {
|
||||||
|
throw new TRPCError({
|
||||||
|
code: "UNAUTHORIZED",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
await prisma.webhook
|
await prisma.webhook
|
||||||
.update({ where: { id: safeQuery.data.id }, data: safeBody.data })
|
.update({ where: { id: safeQuery.data.id }, data: safeBody.data })
|
||||||
.then((data) => schemaWebhookReadPublic.parse(data))
|
.then((data) => schemaWebhookReadPublic.parse(data))
|
||||||
|
|
|
@ -61,6 +61,27 @@ async function createOrlistAllWebhooks(
|
||||||
res.status(400).json({ message: "Invalid request body" });
|
res.status(400).json({ message: "Invalid request body" });
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
if (safe.data.eventTypeId) {
|
||||||
|
const team = await ctx.prisma.team.findFirst({
|
||||||
|
where: {
|
||||||
|
eventTypes: {
|
||||||
|
some: {
|
||||||
|
id: safe.data.eventTypeId,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
include: {
|
||||||
|
members: true,
|
||||||
|
},
|
||||||
|
});
|
||||||
|
|
||||||
|
// Team should be available and the user should be a member of the team
|
||||||
|
if (!team?.members.some((membership) => membership.userId === userId)) {
|
||||||
|
throw new TRPCError({
|
||||||
|
code: "UNAUTHORIZED",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
const data = await prisma.webhook.create({ data: { id: uuidv4(), ...safe.data, userId } });
|
const data = await prisma.webhook.create({ data: { id: uuidv4(), ...safe.data, userId } });
|
||||||
if (data) res.status(201).json({ webhook: data, message: "Webhook created successfully" });
|
if (data) res.status(201).json({ webhook: data, message: "Webhook created successfully" });
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in New Issue