add check for parentId (#13078)

2024-01-09 16:46:44 +05:30 · 2024-01-09 16:46:44 +05:30 · 6dbf372ab0
parent 7dc7f949cf
commit 6dbf372ab0
2 changed files with 31 additions and 0 deletions
--- a/apps/api/pages/api/teams/[teamId]/_patch.ts
+++ b/apps/api/pages/api/teams/[teamId]/_patch.ts
@ -64,6 +64,25 @@ export async function patchHandler(req: NextApiRequest) {
    where: { id: teamId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } },
  });
  if (!_team) throw new HttpError({ statusCode: 401, message: "Unauthorized: OWNER or ADMIN required" });
+
+  // Check if parentId is related to this user
+  if (data.parentId && data.parentId === teamId) {
+    throw new HttpError({
+      statusCode: 400,
+      message: "Bad request: Parent id cannot be the same as the team id.",
+    });
+  }
+  if (data.parentId) {
+    const parentTeam = await prisma.team.findFirst({
+      where: { id: data.parentId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } },
+    });
+    if (!parentTeam)
+      throw new HttpError({
+        statusCode: 401,
+        message: "Unauthorized: Invalid parent id. You can only use parent id of your own teams.",
+      });
+  }
+
  let paymentUrl;
  if (_team.slug === null && data.slug) {
    data.metadata = {
--- a/apps/api/pages/api/teams/_post.ts
+++ b/apps/api/pages/api/teams/_post.ts
@ -68,6 +68,18 @@ async function postHandler(req: NextApiRequest) {
    }
  }

+  // Check if parentId is related to this user
+  if (data.parentId) {
+    const parentTeam = await prisma.team.findFirst({
+      where: { id: data.parentId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } },
+    });
+    if (!parentTeam)
+      throw new HttpError({
+        statusCode: 401,
+        message: "Unauthorized: Invalid parent id. You can only use parent id of your own teams.",
+      });
+  }
+
  // TODO: Perhaps there is a better fix for this?
  const cloneData: typeof data & {
    metadata: NonNullable<typeof data.metadata> | undefined;