76 lines
2.4 KiB
TypeScript
76 lines
2.4 KiB
TypeScript
import type { Prisma } from "@prisma/client";
|
|
import type { NextApiRequest } from "next";
|
|
|
|
import { HttpError } from "@calcom/lib/http-error";
|
|
import { defaultResponder } from "@calcom/lib/server";
|
|
|
|
import {
|
|
membershipEditBodySchema,
|
|
membershipIdSchema,
|
|
schemaMembershipPublic,
|
|
} from "~/lib/validations/membership";
|
|
|
|
/**
|
|
* @swagger
|
|
* /memberships/{userId}_{teamId}:
|
|
* patch:
|
|
* summary: Edit an existing membership
|
|
* parameters:
|
|
* - in: path
|
|
* name: userId
|
|
* schema:
|
|
* type: integer
|
|
* required: true
|
|
* description: Numeric userId of the membership to get
|
|
* - in: path
|
|
* name: teamId
|
|
* schema:
|
|
* type: integer
|
|
* required: true
|
|
* description: Numeric teamId of the membership to get
|
|
* tags:
|
|
* - memberships
|
|
* responses:
|
|
* 201:
|
|
* description: OK, membership edited successfully
|
|
* 400:
|
|
* description: Bad request. Membership body is invalid.
|
|
* 401:
|
|
* description: Authorization information is missing or invalid.
|
|
*/
|
|
export async function patchHandler(req: NextApiRequest) {
|
|
const { prisma, query } = req;
|
|
const userId_teamId = membershipIdSchema.parse(query);
|
|
const data = membershipEditBodySchema.parse(req.body);
|
|
const args: Prisma.MembershipUpdateArgs = { where: { userId_teamId }, data };
|
|
|
|
await checkPermissions(req);
|
|
|
|
const result = await prisma.membership.update(args);
|
|
return { membership: schemaMembershipPublic.parse(result) };
|
|
}
|
|
|
|
async function checkPermissions(req: NextApiRequest) {
|
|
const { userId, isAdmin, prisma } = req;
|
|
const { userId: queryUserId, teamId } = membershipIdSchema.parse(req.query);
|
|
const data = membershipEditBodySchema.parse(req.body);
|
|
// Admins can just skip this check
|
|
if (isAdmin) return;
|
|
// Only the invited user can accept the invite
|
|
if ("accepted" in data && queryUserId !== userId)
|
|
throw new HttpError({
|
|
statusCode: 403,
|
|
message: "Only the invited user can accept the invite",
|
|
});
|
|
// Only team OWNERS and ADMINS can modify `role`
|
|
if ("role" in data) {
|
|
const membership = await prisma.membership.findFirst({
|
|
where: { userId, teamId, role: { in: ["ADMIN", "OWNER"] } },
|
|
});
|
|
if (!membership || (membership.role !== "OWNER" && req.body.role === "OWNER"))
|
|
throw new HttpError({ statusCode: 403, message: "Forbidden" });
|
|
}
|
|
}
|
|
|
|
export default defaultResponder(patchHandler);
|