import type { Prisma } from "@prisma/client"; import type { NextApiRequest } from "next"; import { HttpError } from "@calcom/lib/http-error"; import { defaultResponder } from "@calcom/lib/server"; import { membershipEditBodySchema, membershipIdSchema, schemaMembershipPublic, } from "@lib/validations/membership"; /** * @swagger * /memberships/{userId}_{teamId}: * patch: * summary: Edit an existing membership * parameters: * - in: path * name: userId * schema: * type: integer * required: true * description: Numeric userId of the membership to get * - in: path * name: teamId * schema: * type: integer * required: true * description: Numeric teamId of the membership to get * tags: * - memberships * responses: * 201: * description: OK, membership edited successfully * 400: * description: Bad request. Membership body is invalid. * 401: * description: Authorization information is missing or invalid. */ export async function patchHandler(req: NextApiRequest) { const { prisma, query } = req; const userId_teamId = membershipIdSchema.parse(query); const data = membershipEditBodySchema.parse(req.body); const args: Prisma.MembershipUpdateArgs = { where: { userId_teamId }, data }; await checkPermissions(req); const result = await prisma.membership.update(args); return { membership: schemaMembershipPublic.parse(result) }; } async function checkPermissions(req: NextApiRequest) { const { userId, isAdmin, prisma } = req; const { userId: queryUserId, teamId } = membershipIdSchema.parse(req.query); const data = membershipEditBodySchema.parse(req.body); // Admins can just skip this check if (isAdmin) return; // Only the invited user can accept the invite if ("accepted" in data && queryUserId !== userId) throw new HttpError({ statusCode: 403, message: "Only the invited user can accept the invite" }); // Only team OWNERS and ADMINS can modify `role` if ("role" in data) { const membership = await prisma.membership.findFirst({ where: { userId, teamId, role: { in: ["ADMIN", "OWNER"] } }, }); if (!membership) throw new HttpError({ statusCode: 403, message: "Forbidden" }); } } export default defaultResponder(patchHandler);