54 lines
1.7 KiB
TypeScript
54 lines
1.7 KiB
TypeScript
import type { Prisma } from "@prisma/client";
|
|
import type { NextApiRequest } from "next";
|
|
|
|
import { HttpError } from "@calcom/lib/http-error";
|
|
import { defaultResponder } from "@calcom/lib/server";
|
|
|
|
import { membershipCreateBodySchema, schemaMembershipPublic } from "~/lib/validations/membership";
|
|
|
|
/**
|
|
* @swagger
|
|
* /memberships:
|
|
* post:
|
|
* summary: Creates a new membership
|
|
* tags:
|
|
* - memberships
|
|
* responses:
|
|
* 201:
|
|
* description: OK, membership created
|
|
* 400:
|
|
* description: Bad request. Membership body is invalid.
|
|
* 401:
|
|
* description: Authorization information is missing or invalid.
|
|
*/
|
|
async function postHandler(req: NextApiRequest) {
|
|
const { prisma } = req;
|
|
const data = membershipCreateBodySchema.parse(req.body);
|
|
const args: Prisma.MembershipCreateArgs = { data };
|
|
|
|
await checkPermissions(req);
|
|
|
|
const result = await prisma.membership.create(args);
|
|
|
|
return {
|
|
membership: schemaMembershipPublic.parse(result),
|
|
message: "Membership created successfully",
|
|
};
|
|
}
|
|
|
|
async function checkPermissions(req: NextApiRequest) {
|
|
const { userId, isAdmin, prisma } = req;
|
|
if (isAdmin) return;
|
|
const body = membershipCreateBodySchema.parse(req.body);
|
|
// To prevent auto-accepted invites, limit it to ADMIN users
|
|
if (!isAdmin && "accepted" in body)
|
|
throw new HttpError({ statusCode: 403, message: "ADMIN needed for `accepted`" });
|
|
// Only team OWNERS and ADMINS can add other members
|
|
const membership = await prisma.membership.findFirst({
|
|
where: { userId, teamId: body.teamId, role: { in: ["ADMIN", "OWNER"] } },
|
|
});
|
|
if (!membership) throw new HttpError({ statusCode: 403, message: "You can't add members to this team" });
|
|
}
|
|
|
|
export default defaultResponder(postHandler);
|