init

apps/api/pages/api/event-types/[id]/_patch.ts

@@ -209,15 +209,23 @@ export async function patchHandler(req: NextApiRequest) {
     hosts = [],
     bookingLimits,
     durationLimits,
-    /** FIXME: Updating event-type children from API not supported for now  */
+    children: parsedChildren,
-    children: _,
     ...parsedBody
   } = schemaEventTypeEditBodyParams.parse(body);
 
+  // validate children ownership
+
   const data: Prisma.EventTypeUpdateArgs["data"] = {
     ...parsedBody,
     bookingLimits: bookingLimits === null ? Prisma.DbNull : bookingLimits,
     durationLimits: durationLimits === null ? Prisma.DbNull : durationLimits,
+    ...(parsedChildren
+      ? {
+          children: {
+            connect: parsedChildren.map((child) => ({ id: child.id })),
+          },
+        }
+      : {}),
   };
 
   if (hosts) {

apps/api/pages/api/event-types/_post.ts

@@ -10,6 +10,7 @@ import checkParentEventOwnership from "./_utils/checkParentEventOwnership";
 import checkTeamEventEditPermission from "./_utils/checkTeamEventEditPermission";
 import checkUserMembership from "./_utils/checkUserMembership";
 import ensureOnlyMembersAsHosts from "./_utils/ensureOnlyMembersAsHosts";
+import isUserMemberOfTeam from "./_utils/isUserMemberOfTeam";
 
 /**
  * @swagger
@@ -268,17 +269,29 @@ async function postHandler(req: NextApiRequest) {
     hosts = [],
     bookingLimits,
     durationLimits,
-    /** FIXME: Adding event-type children from API not supported for now  */
+    children: parsedChildren,
-    children: _,
     ...parsedBody
   } = schemaEventTypeCreateBodyParams.parse(body || {});
 
+  // validate that these child event type owners are members of parent
+  const validatedChildren =
+    parsedBody.teamId && parsedChildren
+      ? parsedChildren.filter((child) => isUserMemberOfTeam(parsedBody.teamId, child.userId))
+      : [];
+
   let data: Prisma.EventTypeCreateArgs["data"] = {
     ...parsedBody,
     userId,
     users: { connect: { id: userId } },
     bookingLimits: bookingLimits === null ? Prisma.DbNull : bookingLimits,
     durationLimits: durationLimits === null ? Prisma.DbNull : durationLimits,
+    ...(validatedChildren
+      ? {
+          children: {
+            connect: validatedChildren.map((child) => ({ id: child.id })),
+          },
+        }
+      : {}),
   };
 
   await checkPermissions(req);

apps/api/pages/api/event-types/_utils/checkUserMembership.ts

@@ -12,6 +12,12 @@ import { HttpError } from "@calcom/lib/http-error";
  *                     or if the user isn't a member of the associated team.
  */
 export default async function checkUserMembership(parentId: number, userId?: number) {
+  if (!userId) {
+    throw new HttpError({
+      statusCode: 400,
+      message: "Invalid request.",
+    });
+  }
   const parentEventType = await prisma.eventType.findUnique({
     where: {
       id: parentId,

apps/api/pages/api/event-types/_utils/isUserMemberOfTeam.ts

@@ -0,0 +1,24 @@
+import { HttpError } from "@calcom/lib/http-error";
+
+export default async function isUserMemberOfTeam(teamId?: number | null, userId?: number) {
+  if (!teamId || !userId) {
+    throw new HttpError({
+      statusCode: 400,
+      message: "Bad request.",
+    });
+  }
+  const teamMember = await prisma.membership.findFirst({
+    where: {
+      teamId: teamId,
+      userId: userId,
+      accepted: true,
+    },
+  });
+
+  if (!teamMember) {
+    throw new HttpError({
+      statusCode: 400,
+      message: "User is not a team member.",
+    });
+  }
+}