cal.pub0.org/pages/api/memberships/[id]/_patch.ts

76 lines
2.4 KiB
TypeScript

import type { Prisma } from "@prisma/client";
import type { NextApiRequest } from "next";
import { HttpError } from "@calcom/lib/http-error";
import { defaultResponder } from "@calcom/lib/server";
import {
membershipEditBodySchema,
membershipIdSchema,
schemaMembershipPublic,
} from "~/lib/validations/membership";
/**
* @swagger
* /memberships/{userId}_{teamId}:
* patch:
* summary: Edit an existing membership
* parameters:
* - in: path
* name: userId
* schema:
* type: integer
* required: true
* description: Numeric userId of the membership to get
* - in: path
* name: teamId
* schema:
* type: integer
* required: true
* description: Numeric teamId of the membership to get
* tags:
* - memberships
* responses:
* 201:
* description: OK, membership edited successfully
* 400:
* description: Bad request. Membership body is invalid.
* 401:
* description: Authorization information is missing or invalid.
*/
export async function patchHandler(req: NextApiRequest) {
const { prisma, query } = req;
const userId_teamId = membershipIdSchema.parse(query);
const data = membershipEditBodySchema.parse(req.body);
const args: Prisma.MembershipUpdateArgs = { where: { userId_teamId }, data };
await checkPermissions(req);
const result = await prisma.membership.update(args);
return { membership: schemaMembershipPublic.parse(result) };
}
async function checkPermissions(req: NextApiRequest) {
const { userId, isAdmin, prisma } = req;
const { userId: queryUserId, teamId } = membershipIdSchema.parse(req.query);
const data = membershipEditBodySchema.parse(req.body);
// Admins can just skip this check
if (isAdmin) return;
// Only the invited user can accept the invite
if ("accepted" in data && queryUserId !== userId)
throw new HttpError({
statusCode: 403,
message: "Only the invited user can accept the invite",
});
// Only team OWNERS and ADMINS can modify `role`
if ("role" in data) {
const membership = await prisma.membership.findFirst({
where: { userId, teamId, role: { in: ["ADMIN", "OWNER"] } },
});
if (!membership || (membership.role !== "OWNER" && req.body.role === "OWNER"))
throw new HttpError({ statusCode: 403, message: "Forbidden" });
}
}
export default defaultResponder(patchHandler);