diff --git a/apps/api/pages/api/teams/[teamId]/_patch.ts b/apps/api/pages/api/teams/[teamId]/_patch.ts index 93d1a3a46a..e1cfe2a865 100644 --- a/apps/api/pages/api/teams/[teamId]/_patch.ts +++ b/apps/api/pages/api/teams/[teamId]/_patch.ts @@ -64,6 +64,25 @@ export async function patchHandler(req: NextApiRequest) { where: { id: teamId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } }, }); if (!_team) throw new HttpError({ statusCode: 401, message: "Unauthorized: OWNER or ADMIN required" }); + + // Check if parentId is related to this user + if (data.parentId && data.parentId === teamId) { + throw new HttpError({ + statusCode: 400, + message: "Bad request: Parent id cannot be the same as the team id.", + }); + } + if (data.parentId) { + const parentTeam = await prisma.team.findFirst({ + where: { id: data.parentId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } }, + }); + if (!parentTeam) + throw new HttpError({ + statusCode: 401, + message: "Unauthorized: Invalid parent id. You can only use parent id of your own teams.", + }); + } + let paymentUrl; if (_team.slug === null && data.slug) { data.metadata = { diff --git a/apps/api/pages/api/teams/_post.ts b/apps/api/pages/api/teams/_post.ts index 56e0820535..a018ed81d6 100644 --- a/apps/api/pages/api/teams/_post.ts +++ b/apps/api/pages/api/teams/_post.ts @@ -68,6 +68,18 @@ async function postHandler(req: NextApiRequest) { } } + // Check if parentId is related to this user + if (data.parentId) { + const parentTeam = await prisma.team.findFirst({ + where: { id: data.parentId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } }, + }); + if (!parentTeam) + throw new HttpError({ + statusCode: 401, + message: "Unauthorized: Invalid parent id. You can only use parent id of your own teams.", + }); + } + // TODO: Perhaps there is a better fix for this? const cloneData: typeof data & { metadata: NonNullable | undefined;