fix: Adds mandatory credentiaId in Destination Calendar API endpoint POST (#11880)

apps/api/lib/validations/destination-calendar.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { _DestinationCalendarModel as DestinationCalendar } from "@calcom/prisma/zod";
 
 export const schemaDestinationCalendarBaseBodyParams = DestinationCalendar.pick({
+  credentialId: true,
   integration: true,
   externalId: true,
   eventTypeId: true,
@@ -14,6 +15,7 @@ const schemaDestinationCalendarCreateParams = z
   .object({
     integration: z.string(),
     externalId: z.string(),
+    credentialId: z.number(),
     eventTypeId: z.number().optional(),
     bookingId: z.number().optional(),
     userId: z.number().optional(),
@@ -45,4 +47,5 @@ export const schemaDestinationCalendarReadPublic = DestinationCalendar.pick({
   eventTypeId: true,
   bookingId: true,
   userId: true,
+  credentialId: true,
 });

apps/api/pages/api/destination-calendars/_post.ts

@@ -30,6 +30,7 @@ import {
  *             required:
  *               - integration
  *               - externalId
+ *               - credentialId
  *             properties:
  *               integration:
  *                 type: string
@@ -37,12 +38,18 @@ import {
  *               externalId:
  *                 type: string
  *                 description: 'The external ID of the integration'
+ *               credentialId:
+ *                 type: integer
+ *                 description: 'The credential ID it is associated with'
  *               eventTypeId:
  *                 type: integer
  *                 description: 'The ID of the eventType it is associated with'
  *               bookingId:
  *                 type: integer
  *                 description: 'The booking ID it is associated with'
+ *               userId:
+ *                 type: integer
+ *                 description: 'The user it is associated with'
  *     tags:
  *      - destination-calendars
  *     responses:
@@ -55,17 +62,33 @@ import {
  */
 async function postHandler(req: NextApiRequest) {
   const { userId, isAdmin, prisma, body } = req;
-
   const parsedBody = schemaDestinationCalendarCreateBodyParams.parse(body);
-
   await checkPermissions(req, userId);
 
-  if (!parsedBody.eventTypeId) {
+  const assignedUserId = isAdmin ? parsedBody.userId || userId : userId;
-    parsedBody.userId = userId;
-  }
 
-  if (isAdmin) {
+  /* Check if credentialId data matches the ownership and integration passed in */
-    parsedBody.userId = parsedBody.userId || userId;
+  const credential = await prisma.credential.findFirst({
+    where: { type: parsedBody.integration, userId: assignedUserId },
+    select: { id: true, type: true, userId: true },
+  });
+
+  if (!credential)
+    throw new HttpError({
+      statusCode: 400,
+      message: "Bad request, credential id invalid",
+    });
+
+  if (parsedBody.eventTypeId) {
+    const eventType = await prisma.eventType.findFirst({
+      where: { id: parsedBody.eventTypeId, userId: parsedBody.userId },
+    });
+    if (!eventType)
+      throw new HttpError({
+        statusCode: 400,
+        message: "Bad request, eventTypeId invalid",
+      });
+    parsedBody.userId = undefined;
   }
 
   const destination_calendar = await prisma.destinationCalendar.create({ data: { ...parsedBody } });