From ce8af8b6a5c0261d430d3a1d413df519248ffa54 Mon Sep 17 00:00:00 2001
From: Joe Au-Yeung <j.auyeung419@gmail.com>
Date: Wed, 5 Oct 2022 15:59:34 -0400
Subject: [PATCH] Allow for admin to edit other user's event types

---
 pages/api/event-types/[id].ts  | 12 +++++++++---
 pages/api/event-types/index.ts |  4 +++-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/pages/api/event-types/[id].ts b/pages/api/event-types/[id].ts
index dd9ac1a4d9..bd8c823489 100644
--- a/pages/api/event-types/[id].ts
+++ b/pages/api/event-types/[id].ts
@@ -12,19 +12,24 @@ export async function eventTypeById(
   { method, query, body, userId, isAdmin, prisma }: NextApiRequest,
   res: NextApiResponse<EventTypeResponse>
 ) {
+  if (body.userId && !isAdmin) {
+    res.status(401).json({ message: "Unauthorized" });
+    return;
+  }
   const safeQuery = schemaQueryIdParseInt.safeParse(query);
   if (!safeQuery.success) {
     res.status(400).json({ message: "Your query was invalid" });
     return;
   }
   const data = await prisma.user.findUnique({
-    where: { id: userId },
+    where: { id: body.userId || userId },
     rejectOnNotFound: true,
     select: { eventTypes: true },
   });
   const userEventTypes = data.eventTypes.map((eventType) => eventType.id);
-  if (!isAdmin) {
-    if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
+  if (!userEventTypes.includes(safeQuery.data.id)) {
+    res.status(401).json({ message: "Unauthorized" });
+    return;
   } else {
     switch (method) {
       /**
@@ -96,6 +101,7 @@ export async function eventTypeById(
        */
       case "PATCH":
         const safeBody = schemaEventTypeEditBodyParams.safeParse(body);
+
         if (!safeBody.success) {
           {
             res.status(400).json({ message: "Invalid request body" });
diff --git a/pages/api/event-types/index.ts b/pages/api/event-types/index.ts
index fc05909e2c..c46979385d 100644
--- a/pages/api/event-types/index.ts
+++ b/pages/api/event-types/index.ts
@@ -44,7 +44,9 @@ async function createOrlistAllEventTypes(
             error,
           });
     } else {
-      const data = await prisma.eventType.findMany({});
+      const data = await prisma.eventType.findMany({
+        where: { userId: isAdmin && body.userId ? body.userId : userId },
+      });
       const event_types = data.map((eventType) => schemaEventTypeReadPublic.parse(eventType));
       if (event_types) res.status(200).json({ event_types });
     }