add check for parentId (#13078)
This commit is contained in:
parent
7dc7f949cf
commit
6dbf372ab0
|
@ -64,6 +64,25 @@ export async function patchHandler(req: NextApiRequest) {
|
||||||
where: { id: teamId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } },
|
where: { id: teamId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } },
|
||||||
});
|
});
|
||||||
if (!_team) throw new HttpError({ statusCode: 401, message: "Unauthorized: OWNER or ADMIN required" });
|
if (!_team) throw new HttpError({ statusCode: 401, message: "Unauthorized: OWNER or ADMIN required" });
|
||||||
|
|
||||||
|
// Check if parentId is related to this user
|
||||||
|
if (data.parentId && data.parentId === teamId) {
|
||||||
|
throw new HttpError({
|
||||||
|
statusCode: 400,
|
||||||
|
message: "Bad request: Parent id cannot be the same as the team id.",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
if (data.parentId) {
|
||||||
|
const parentTeam = await prisma.team.findFirst({
|
||||||
|
where: { id: data.parentId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } },
|
||||||
|
});
|
||||||
|
if (!parentTeam)
|
||||||
|
throw new HttpError({
|
||||||
|
statusCode: 401,
|
||||||
|
message: "Unauthorized: Invalid parent id. You can only use parent id of your own teams.",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
let paymentUrl;
|
let paymentUrl;
|
||||||
if (_team.slug === null && data.slug) {
|
if (_team.slug === null && data.slug) {
|
||||||
data.metadata = {
|
data.metadata = {
|
||||||
|
|
|
@ -68,6 +68,18 @@ async function postHandler(req: NextApiRequest) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if parentId is related to this user
|
||||||
|
if (data.parentId) {
|
||||||
|
const parentTeam = await prisma.team.findFirst({
|
||||||
|
where: { id: data.parentId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } },
|
||||||
|
});
|
||||||
|
if (!parentTeam)
|
||||||
|
throw new HttpError({
|
||||||
|
statusCode: 401,
|
||||||
|
message: "Unauthorized: Invalid parent id. You can only use parent id of your own teams.",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
// TODO: Perhaps there is a better fix for this?
|
// TODO: Perhaps there is a better fix for this?
|
||||||
const cloneData: typeof data & {
|
const cloneData: typeof data & {
|
||||||
metadata: NonNullable<typeof data.metadata> | undefined;
|
metadata: NonNullable<typeof data.metadata> | undefined;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user