This PR addresses definition errors currently residing within our
swagger doc.
~DISCLAIMER: There is still an error for our DELETE booking call, as
open API standard doesn't expect the DELETE call to contain a request
body, but we are requiring it in the way it currently works. Perhaps we
should move those to Query Parameters instead. Thoughts @zomars @emrysal
?~
It was taken care of by @leog and the docs are now updated as per the
endpoint
<img width="247" alt="image"
src="https://user-images.githubusercontent.com/52925846/217799706-21b7c21d-696b-4e20-a682-c8a949694b61.png">
<img width="629" alt="image"
src="https://user-images.githubusercontent.com/52925846/217799842-c903c23a-0b0d-4208-a3e9-01a682eeff97.png">
---------
Co-authored-by: Leo Giovanetti <hello@leog.me>
Co-authored-by: Omar López <zomars@me.com>
Fixes - 2,3,4 security vulnerabilities reported in this message.
https://calendso.slack.com/archives/C03127U5S5Q/p1671922033089329
More Fixes
- Dont't allow a user to add a random attendee to a booking not owned by
him
- Don't allow a user to add a random cal user as an organizer of the
booking.
- Membership deletion should be as per the Privileges of
Owner,Admin,Member
Currently, anybody can create an event type for any team. With this PR
we only allow team ADMIN and OWNER to create event types for the team.
Co-authored-by: CarinaWolli <wollencarina@gmail.com>
Throw an error if a user of a team with ADMIN permission tries to change
permission to OWNER (Bug#3)
Co-authored-by: CarinaWolli <wollencarina@gmail.com>
This allow us to manage our API keys directly from the API itself.
User can:
- Create own API keys
- Edit own API keys (only the note field for now)
- Delete own API keys
- Get own API keys
Admin can:
- CRUD for any user
- Get all API keys
## What does the PR do?
- Team billing via API
Just like the web project, we validate that team has stripe metadata
before converting requestedSlug to slug.
Co-authored-by: zomars <zomars@me.com>