public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

merging main to prod fixing conflicts in users

pull/9078/head
Agusti Fernandez Pardo 2022-06-15 22:59:26 +02:00
parent d8d0d42374
commit dd94df8c97
8 changed files with 251 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/helpers/verifyApiKey.ts
View File

@ -4,12 +4,15 @@ import { NextMiddleware } from "next-api-middleware";
import { hashAPIKey } from "@calcom/ee/lib/api/apiKeys";
import prisma from "@calcom/prisma";
import { isAdminGuard } from "@lib/utils/isAdmin";
/** @todo figure how to use the one from `@calcom/types`fi */
/** @todo: remove once `@calcom/types` is updated with it.*/
declare module "next" {
export interface NextApiRequest extends IncomingMessage {
userId: number;
method: string;
isAdmin: boolean;
query: { [key: string]: string | string[] };
// eslint-disable-next-line @typescript-eslint/no-explicit-any
session: any;
@ -41,5 +44,8 @@ export const verifyApiKey: NextMiddleware = async (req, res, next) => {
if (!apiKey.userId) return res.status(404).json({ error: "No user found for this apiKey" });
/* We save the user id in the request for later use */
req.userId = apiKey.userId;
/* We save the isAdmin boolean here for later use */
req.isAdmin = await isAdminGuard(req.userId);
await next();
};

1
lib/validations/booking.ts
View File

@ -24,7 +24,6 @@ export const schemaBookingCreateBodyParams = schemaBookingBaseBodyParams.merge(s
const schemaBookingEditParams = z
.object({
uid: z.string().optional(),
title: z.string().optional(),
startTime: z.date().optional(),
endTime: z.date().optional(),

10
pages/api/attendees/[id].ts
View File

@ -11,7 +11,7 @@ import {
} from "@lib/validations/shared/queryIdTransformParseInt";
export async function attendeeById(
{ method, query, body, userId }: NextApiRequest,
{ method, query, body, userId, isAdmin }: NextApiRequest,
res: NextApiResponse<AttendeeResponse>
) {
const safeQuery = schemaQueryIdParseInt.safeParse(query);
@ -33,9 +33,11 @@ export async function attendeeById(
.flat()
.map((attendee) => attendee.id)
);
// @note: Here we make sure to only return attendee's of the user's own bookings.
if (!userBookingsAttendeeIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
else {
// @note: Here we make sure to only return attendee's of the user's own bookings if the user is not an admin.
if (!isAdmin) {
if (!userBookingsAttendeeIds.includes(safeQuery.data.id))
res.status(401).json({ message: "Unauthorized" });
} else {
switch (method) {
/**
* @swagger

79
pages/api/attendees/index.ts
View File

@ -1,24 +1,30 @@
import type { NextApiRequest, NextApiResponse } from "next";
import db from "@calcom/prisma";
import prisma from "@calcom/prisma";
import { withMiddleware } from "@lib/helpers/withMiddleware";
import { AttendeeResponse, AttendeesResponse } from "@lib/types";
import { schemaAttendeeCreateBodyParams, schemaAttendeeReadPublic } from "@lib/validations/attendee";
async function createOrlistAllAttendees(
{ method, userId, body }: NextApiRequest,
{ method, userId, body, isAdmin }: NextApiRequest,
res: NextApiResponse<AttendeesResponse | AttendeeResponse>
) {
const userBookings = await db.booking.findMany({
where: {
userId,
},
include: {
attendees: true,
},
});
const attendees = userBookings.map((booking) => booking.attendees).flat();
let attendees;
if (!isAdmin) {
const userBookings = await prisma.booking.findMany({
where: {
userId,
},
include: {
attendees: true,
},
});
attendees = userBookings.map((booking) => booking.attendees).flat();
} else {
const data = await prisma.attendee.findMany();
attendees = data.map((attendee) => schemaAttendeeReadPublic.parse(attendee));
}
if (method === "GET") {
/**
* @swagger
@ -37,12 +43,7 @@ async function createOrlistAllAttendees(
* description: No attendees were found
*/
if (attendees) res.status(200).json({ attendees });
else
(error: Error) =>
res.status(404).json({
message: "No Attendees were found",
error,
});
else (error: Error) => res.status(400).json({ error });
} else if (method === "POST") {
/**
* @swagger
@ -90,16 +91,40 @@ async function createOrlistAllAttendees(
res.status(400).json({ message: "Invalid request body", error: safePost.error });
return;
}
const userWithBookings = await db.user.findUnique({ where: { id: userId }, include: { bookings: true } });
if (!userWithBookings) {
res.status(404).json({ message: "User not found" });
return;
}
const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat();
// Here we make sure to only return attendee's of the user's own bookings.
if (!userBookingIds.includes(safePost.data.bookingId)) res.status(401).json({ message: "Unauthorized" });
else {
const data = await db.attendee.create({
if (!isAdmin) {
const userWithBookings = await prisma.user.findUnique({
where: { id: userId },
include: { bookings: true },
});
if (!userWithBookings) {
res.status(404).json({ message: "User not found" });
return;
}
const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat();
// Here we make sure to only return attendee's of the user's own bookings.
if (!userBookingIds.includes(safePost.data.bookingId))
res.status(401).json({ message: "Unauthorized" });
else {
const data = await prisma.attendee.create({
data: {
email: safePost.data.email,
name: safePost.data.name,
timeZone: safePost.data.timeZone,
booking: { connect: { id: safePost.data.bookingId } },
},
});
const attendee = schemaAttendeeReadPublic.parse(data);
if (attendee) {
res.status(201).json({
attendee,
message: "Attendee created successfully",
});
} else (error: Error) => res.status(400).json({ error });
}
} else {
// @todo: check real availability times before booking
const data = await prisma.attendee.create({
data: {
email: safePost.data.email,
name: safePost.data.name,

2
pages/api/bookings/index.ts
View File

@ -12,7 +12,7 @@ import { schemaBookingCreateBodyParams, schemaBookingReadPublic } from "@lib/val
import { schemaEventTypeReadPublic } from "@lib/validations/event-type";
async function createOrlistAllBookings(
{ method, body, userId }: NextApiRequest,
{ method, body, userId, isAdmin }: NextApiRequest,
res: NextApiResponse<BookingsResponse | BookingResponse>
) {
console.log("userIduserId", userId);

4
pages/api/event-types/[id].ts
View File

@ -4,7 +4,6 @@ import prisma from "@calcom/prisma";
import { withMiddleware } from "@lib/helpers/withMiddleware";
import type { EventTypeResponse } from "@lib/types";
import { isAdminGuard } from "@lib/utils/isAdmin";
import { schemaEventTypeEditBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type";
import {
schemaQueryIdParseInt,
@ -12,10 +11,9 @@ import {
} from "@lib/validations/shared/queryIdTransformParseInt";
export async function eventTypeById(
{ method, query, body, userId }: NextApiRequest,
{ method, query, body, userId, isAdmin }: NextApiRequest,
res: NextApiResponse<EventTypeResponse>
) {
const isAdmin = await isAdminGuard(userId);
const safeQuery = schemaQueryIdParseInt.safeParse(query);
if (!safeQuery.success) {
res.status(400).json({ message: "Your query was invalid" });

4
pages/api/event-types/index.ts
View File

@ -4,14 +4,12 @@ import prisma from "@calcom/prisma";
import { withMiddleware } from "@lib/helpers/withMiddleware";
import { EventTypeResponse, EventTypesResponse } from "@lib/types";
import { isAdminGuard } from "@lib/utils/isAdmin";
import { schemaEventTypeCreateBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type";
async function createOrlistAllEventTypes(
{ method, body, userId }: NextApiRequest,
{ method, body, userId, isAdmin }: NextApiRequest,
res: NextApiResponse<EventTypesResponse | EventTypeResponse>
) {
const isAdmin = await isAdminGuard(userId);
if (method === "GET") {
/**
* @swagger

184
pages/api/users/[id].ts Normal file
View File

@ -0,0 +1,184 @@
import type { NextApiRequest, NextApiResponse } from "next";
import prisma from "@calcom/prisma";
import { withMiddleware } from "@lib/helpers/withMiddleware";
import type { UserResponse } from "@lib/types";
import {
schemaQueryIdParseInt,
withValidQueryIdTransformParseInt,
} from "@lib/validations/shared/queryIdTransformParseInt";
import { schemaUserEditBodyParams, schemaUserReadPublic } from "@lib/validations/user";
export async function userById(
{ method, query, body, userId, isAdmin }: NextApiRequest,
res: NextApiResponse<UserResponse>
) {
const safeQuery = schemaQueryIdParseInt.safeParse(query);
console.log(body);
if (!safeQuery.success) {
res.status(400).json({ message: "Your query was invalid" });
return;
}
// Here we only check for ownership of the user if the user is not admin, otherwise we let ADMIN's edit any user
if (!isAdmin) {
if (safeQuery.data.id !== userId) res.status(401).json({ message: "Unauthorized" });
} else {
switch (method) {
case "GET":
/**
* @swagger
* /users/{id}:
* get:
* summary: Find a user, returns your user if regular user.
* operationId: getUserById
* parameters:
* - in: path
* name: id
* example: 4
* schema:
* type: integer
* required: true
* description: ID of the user to get
* tags:
* - users
* responses:
* 200:
* description: OK
* 401:
* description: Authorization information is missing or invalid.
* 404:
* description: User was not found
*/
await prisma.user
.findUnique({ where: { id: safeQuery.data.id } })
.then((data) => schemaUserReadPublic.parse(data))
.then((user) => res.status(200).json({ user }))
.catch((error: Error) =>
res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error })
);
break;
case "PATCH":
/**
* @swagger
* /users/{id}:
* patch:
* summary: Edit an existing user
* operationId: editUserById
* requestBody:
* description: Edit an existing attendee related to one of your bookings
* required: true
* content:
* application/json:
* schema:
* type: object
* properties:
* weekStart:
* type: string
* enum: [Monday, Sunday, Saturday]
* example: Monday
* brandColor:
* type: string
* example: "#FF000F"
* darkBrandColor:
* type: string
* example: "#000000"
* timeZone:
* type: string
* example: Europe/London
* parameters:
* - in: path
* name: id
* example: 4
* schema:
* type: integer
* required: true
* description: ID of the user to edit
* tags:
* - users
* responses:
* 201:
* description: OK, user edited successfuly
* 400:
* description: Bad request. User body is invalid.
* 401:
* description: Authorization information is missing or invalid.
*/
const safeBody = schemaUserEditBodyParams.safeParse(body);
if (!safeBody.success) {
res.status(400).json({ message: "Bad request", error: safeBody.error });
return;
}
const userSchedules = await prisma.schedule.findMany({
where: { userId },
});
const userSchedulesIds = userSchedules.map((schedule) => schedule.id);
// @note: here we make sure user can only make as default his own scheudles
if (
safeBody?.data?.defaultScheduleId &&
!userSchedulesIds.includes(Number(safeBody?.data?.defaultScheduleId))
) {
res.status(400).json({
message: "Bad request: Invalid default schedule id",
});
return;
}
await prisma.user
.update({
where: { id: userId },
data: safeBody.data,
})
.then((data) => schemaUserReadPublic.parse(data))
.then((user) => res.status(200).json({ user }))
.catch((error: Error) =>
res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error })
);
break;
/**
* @swagger
* /users/{id}:
* delete:
* summary: Remove an existing user
* operationId: removeUserById
* parameters:
* - in: path
* name: id
* example: 1
* schema:
* type: integer
* required: true
* description: ID of the user to delete
* tags:
* - users
* responses:
* 201:
* description: OK, user removed successfuly
* 400:
* description: Bad request. User id is invalid.
* 401:
* description: Authorization information is missing or invalid.
*/
case "DELETE":
await prisma.user
.delete({ where: { id: safeQuery.data.id } })
.then(() =>
res.status(200).json({ message: `User with id: ${safeQuery.data.id} deleted successfully` })
)
.catch((error: Error) =>
res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error })
);
break;
default:
res.status(405).json({ message: "Method not allowed" });
break;
}
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(userById));