merging main to prod fixing conflicts in users

lib/helpers/verifyApiKey.ts

@@ -4,12 +4,15 @@ import { NextMiddleware } from "next-api-middleware";
 import { hashAPIKey } from "@calcom/ee/lib/api/apiKeys";
 import prisma from "@calcom/prisma";
 
+import { isAdminGuard } from "@lib/utils/isAdmin";
+
 /** @todo figure how to use the one from `@calcom/types`fi */
 /** @todo: remove once `@calcom/types` is updated with it.*/
 declare module "next" {
   export interface NextApiRequest extends IncomingMessage {
     userId: number;
     method: string;
+    isAdmin: boolean;
     query: { [key: string]: string | string[] };
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     session: any;
@@ -41,5 +44,8 @@ export const verifyApiKey: NextMiddleware = async (req, res, next) => {
   if (!apiKey.userId) return res.status(404).json({ error: "No user found for this apiKey" });
   /* We save the user id in the request for later use */
   req.userId = apiKey.userId;
+  /* We save the isAdmin boolean here for later use */
+  req.isAdmin = await isAdminGuard(req.userId);
+
   await next();
 };

lib/validations/booking.ts

@@ -24,7 +24,6 @@ export const schemaBookingCreateBodyParams = schemaBookingBaseBodyParams.merge(s
 
 const schemaBookingEditParams = z
   .object({
-    uid: z.string().optional(),
     title: z.string().optional(),
     startTime: z.date().optional(),
     endTime: z.date().optional(),

pages/api/attendees/[id].ts

@@ -11,7 +11,7 @@ import {
 } from "@lib/validations/shared/queryIdTransformParseInt";
 
 export async function attendeeById(
-  { method, query, body, userId }: NextApiRequest,
+  { method, query, body, userId, isAdmin }: NextApiRequest,
   res: NextApiResponse<AttendeeResponse>
 ) {
   const safeQuery = schemaQueryIdParseInt.safeParse(query);
@@ -33,9 +33,11 @@ export async function attendeeById(
           .flat()
           .map((attendee) => attendee.id)
     );
-  // @note: Here we make sure to only return attendee's of the user's own bookings.
+  // @note: Here we make sure to only return attendee's of the user's own bookings if the user is not an admin.
-  if (!userBookingsAttendeeIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
+  if (!isAdmin) {
-  else {
+    if (!userBookingsAttendeeIds.includes(safeQuery.data.id))
+      res.status(401).json({ message: "Unauthorized" });
+  } else {
     switch (method) {
       /**
        * @swagger

pages/api/attendees/index.ts

@@ -1,24 +1,30 @@
 import type { NextApiRequest, NextApiResponse } from "next";
 
-import db from "@calcom/prisma";
+import prisma from "@calcom/prisma";
 
 import { withMiddleware } from "@lib/helpers/withMiddleware";
 import { AttendeeResponse, AttendeesResponse } from "@lib/types";
 import { schemaAttendeeCreateBodyParams, schemaAttendeeReadPublic } from "@lib/validations/attendee";
 
 async function createOrlistAllAttendees(
-  { method, userId, body }: NextApiRequest,
+  { method, userId, body, isAdmin }: NextApiRequest,
   res: NextApiResponse<AttendeesResponse | AttendeeResponse>
 ) {
-  const userBookings = await db.booking.findMany({
+  let attendees;
-    where: {
+  if (!isAdmin) {
-      userId,
+    const userBookings = await prisma.booking.findMany({
-    },
+      where: {
-    include: {
+        userId,
-      attendees: true,
+      },
-    },
+      include: {
-  });
+        attendees: true,
-  const attendees = userBookings.map((booking) => booking.attendees).flat();
+      },
+    });
+    attendees = userBookings.map((booking) => booking.attendees).flat();
+  } else {
+    const data = await prisma.attendee.findMany();
+    attendees = data.map((attendee) => schemaAttendeeReadPublic.parse(attendee));
+  }
   if (method === "GET") {
     /**
      * @swagger
@@ -37,12 +43,7 @@ async function createOrlistAllAttendees(
      *         description: No attendees were found
      */
     if (attendees) res.status(200).json({ attendees });
-    else
+    else (error: Error) => res.status(400).json({ error });
-      (error: Error) =>
-        res.status(404).json({
-          message: "No Attendees were found",
-          error,
-        });
   } else if (method === "POST") {
     /**
      * @swagger
@@ -90,16 +91,40 @@ async function createOrlistAllAttendees(
       res.status(400).json({ message: "Invalid request body", error: safePost.error });
       return;
     }
-    const userWithBookings = await db.user.findUnique({ where: { id: userId }, include: { bookings: true } });
+    if (!isAdmin) {
-    if (!userWithBookings) {
+      const userWithBookings = await prisma.user.findUnique({
-      res.status(404).json({ message: "User not found" });
+        where: { id: userId },
-      return;
+        include: { bookings: true },
-    }
+      });
-    const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat();
+      if (!userWithBookings) {
-    // Here we make sure to only return attendee's of the user's own bookings.
+        res.status(404).json({ message: "User not found" });
-    if (!userBookingIds.includes(safePost.data.bookingId)) res.status(401).json({ message: "Unauthorized" });
+        return;
-    else {
+      }
-      const data = await db.attendee.create({
+      const userBookingIds = userWithBookings.bookings.map((booking: { id: number }) => booking.id).flat();
+      // Here we make sure to only return attendee's of the user's own bookings.
+      if (!userBookingIds.includes(safePost.data.bookingId))
+        res.status(401).json({ message: "Unauthorized" });
+      else {
+        const data = await prisma.attendee.create({
+          data: {
+            email: safePost.data.email,
+            name: safePost.data.name,
+            timeZone: safePost.data.timeZone,
+            booking: { connect: { id: safePost.data.bookingId } },
+          },
+        });
+        const attendee = schemaAttendeeReadPublic.parse(data);
+
+        if (attendee) {
+          res.status(201).json({
+            attendee,
+            message: "Attendee created successfully",
+          });
+        } else (error: Error) => res.status(400).json({ error });
+      }
+    } else {
+      // @todo: check real availability times before booking
+      const data = await prisma.attendee.create({
         data: {
           email: safePost.data.email,
           name: safePost.data.name,

pages/api/bookings/index.ts

@@ -12,7 +12,7 @@ import { schemaBookingCreateBodyParams, schemaBookingReadPublic } from "@lib/val
 import { schemaEventTypeReadPublic } from "@lib/validations/event-type";
 
 async function createOrlistAllBookings(
-  { method, body, userId }: NextApiRequest,
+  { method, body, userId, isAdmin }: NextApiRequest,
   res: NextApiResponse<BookingsResponse | BookingResponse>
 ) {
   console.log("userIduserId", userId);

pages/api/event-types/[id].ts

@@ -4,7 +4,6 @@ import prisma from "@calcom/prisma";
 
 import { withMiddleware } from "@lib/helpers/withMiddleware";
 import type { EventTypeResponse } from "@lib/types";
-import { isAdminGuard } from "@lib/utils/isAdmin";
 import { schemaEventTypeEditBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type";
 import {
   schemaQueryIdParseInt,
@@ -12,10 +11,9 @@ import {
 } from "@lib/validations/shared/queryIdTransformParseInt";
 
 export async function eventTypeById(
-  { method, query, body, userId }: NextApiRequest,
+  { method, query, body, userId, isAdmin }: NextApiRequest,
   res: NextApiResponse<EventTypeResponse>
 ) {
-  const isAdmin = await isAdminGuard(userId);
   const safeQuery = schemaQueryIdParseInt.safeParse(query);
   if (!safeQuery.success) {
     res.status(400).json({ message: "Your query was invalid" });

pages/api/event-types/index.ts

@@ -4,14 +4,12 @@ import prisma from "@calcom/prisma";
 
 import { withMiddleware } from "@lib/helpers/withMiddleware";
 import { EventTypeResponse, EventTypesResponse } from "@lib/types";
-import { isAdminGuard } from "@lib/utils/isAdmin";
 import { schemaEventTypeCreateBodyParams, schemaEventTypeReadPublic } from "@lib/validations/event-type";
 
 async function createOrlistAllEventTypes(
-  { method, body, userId }: NextApiRequest,
+  { method, body, userId, isAdmin }: NextApiRequest,
   res: NextApiResponse<EventTypesResponse | EventTypeResponse>
 ) {
-  const isAdmin = await isAdminGuard(userId);
   if (method === "GET") {
     /**
      * @swagger

pages/api/users/[id].ts

@@ -0,0 +1,184 @@
+import type { NextApiRequest, NextApiResponse } from "next";
+
+import prisma from "@calcom/prisma";
+
+import { withMiddleware } from "@lib/helpers/withMiddleware";
+import type { UserResponse } from "@lib/types";
+import {
+  schemaQueryIdParseInt,
+  withValidQueryIdTransformParseInt,
+} from "@lib/validations/shared/queryIdTransformParseInt";
+import { schemaUserEditBodyParams, schemaUserReadPublic } from "@lib/validations/user";
+
+export async function userById(
+  { method, query, body, userId, isAdmin }: NextApiRequest,
+  res: NextApiResponse<UserResponse>
+) {
+  const safeQuery = schemaQueryIdParseInt.safeParse(query);
+  console.log(body);
+  if (!safeQuery.success) {
+    res.status(400).json({ message: "Your query was invalid" });
+    return;
+  }
+  // Here we only check for ownership of the user if the user is not admin, otherwise we let ADMIN's edit any user
+  if (!isAdmin) {
+    if (safeQuery.data.id !== userId) res.status(401).json({ message: "Unauthorized" });
+  } else {
+    switch (method) {
+      case "GET":
+        /**
+         * @swagger
+         * /users/{id}:
+         *   get:
+         *     summary: Find a user, returns your user if regular user.
+         *     operationId: getUserById
+         *     parameters:
+         *       - in: path
+         *         name: id
+         *         example: 4
+         *         schema:
+         *           type: integer
+         *         required: true
+         *         description: ID of the user to get
+         *     tags:
+         *     - users
+         *     responses:
+         *       200:
+         *         description: OK
+         *       401:
+         *        description: Authorization information is missing or invalid.
+         *       404:
+         *         description: User was not found
+         */
+
+        await prisma.user
+          .findUnique({ where: { id: safeQuery.data.id } })
+          .then((data) => schemaUserReadPublic.parse(data))
+          .then((user) => res.status(200).json({ user }))
+          .catch((error: Error) =>
+            res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error })
+          );
+        break;
+      case "PATCH":
+        /**
+         * @swagger
+         * /users/{id}:
+         *   patch:
+         *     summary: Edit an existing user
+         *     operationId: editUserById
+         *     requestBody:
+         *       description: Edit an existing attendee related to one of your bookings
+         *       required: true
+         *       content:
+         *         application/json:
+         *           schema:
+         *             type: object
+         *             properties:
+         *               weekStart:
+         *                 type: string
+         *                 enum: [Monday, Sunday, Saturday]
+         *                 example: Monday
+         *               brandColor:
+         *                 type: string
+         *                 example: "#FF000F"
+         *               darkBrandColor:
+         *                 type: string
+         *                 example: "#000000"
+         *               timeZone:
+         *                 type: string
+         *                 example: Europe/London
+         *     parameters:
+         *      - in: path
+         *        name: id
+         *        example: 4
+         *        schema:
+         *          type: integer
+         *        required: true
+         *        description: ID of the user to edit
+         *     tags:
+         *     - users
+         *     responses:
+         *       201:
+         *         description: OK, user edited successfuly
+         *       400:
+         *        description: Bad request. User body is invalid.
+         *       401:
+         *        description: Authorization information is missing or invalid.
+         */
+
+        const safeBody = schemaUserEditBodyParams.safeParse(body);
+        if (!safeBody.success) {
+          res.status(400).json({ message: "Bad request", error: safeBody.error });
+
+          return;
+        }
+        const userSchedules = await prisma.schedule.findMany({
+          where: { userId },
+        });
+        const userSchedulesIds = userSchedules.map((schedule) => schedule.id);
+        // @note: here we make sure user can only make as default his own scheudles
+        if (
+          safeBody?.data?.defaultScheduleId &&
+          !userSchedulesIds.includes(Number(safeBody?.data?.defaultScheduleId))
+        ) {
+          res.status(400).json({
+            message: "Bad request: Invalid default schedule id",
+          });
+          return;
+        }
+        await prisma.user
+          .update({
+            where: { id: userId },
+            data: safeBody.data,
+          })
+          .then((data) => schemaUserReadPublic.parse(data))
+          .then((user) => res.status(200).json({ user }))
+          .catch((error: Error) =>
+            res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error })
+          );
+        break;
+
+      /**
+       * @swagger
+       * /users/{id}:
+       *   delete:
+       *     summary: Remove an existing user
+       *     operationId: removeUserById
+       *     parameters:
+       *      - in: path
+       *        name: id
+       *        example: 1
+       *        schema:
+       *          type: integer
+       *        required: true
+       *        description: ID of the user to delete
+       *     tags:
+       *     - users
+       *     responses:
+       *       201:
+       *         description: OK, user removed successfuly
+       *       400:
+       *        description: Bad request. User id is invalid.
+       *       401:
+       *        description: Authorization information is missing or invalid.
+       */
+
+      case "DELETE":
+        await prisma.user
+          .delete({ where: { id: safeQuery.data.id } })
+          .then(() =>
+            res.status(200).json({ message: `User with id: ${safeQuery.data.id} deleted successfully` })
+          )
+          .catch((error: Error) =>
+            res.status(404).json({ message: `User with id: ${safeQuery.data.id} not found`, error })
+          );
+        break;
+
+      default:
+        res.status(405).json({ message: "Method not allowed" });
+        break;
+    }
+  }
+}
+
+export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(userById));