diff --git a/.github/workflows/nextjs-bundle-analysis.yml b/.github/workflows/nextjs-bundle-analysis.yml index 811d232d54..4c8da86217 100644 --- a/.github/workflows/nextjs-bundle-analysis.yml +++ b/.github/workflows/nextjs-bundle-analysis.yml @@ -2,6 +2,7 @@ name: "Next.js Bundle Analysis" on: workflow_call: + workflow_dispatch: push: branches: - main @@ -34,7 +35,7 @@ jobs: - name: Download base branch bundle stats uses: dawidd6/action-download-artifact@v2 - if: success() && github.event.number + if: success() with: workflow: nextjs-bundle-analysis.yml branch: ${{ github.event.pull_request.base.ref }} @@ -54,39 +55,39 @@ jobs: # Either of these arguments can be changed or removed by editing the `nextBundleAnalysis` # entry in your package.json file. - name: Compare with base branch bundle - if: success() && github.event.number + if: success() run: | cd apps/web ls -laR .next/analyze/base && npx -p nextjs-bundle-analysis compare - name: Get comment body id: get-comment-body - if: success() && github.event.number + if: success() run: | cd apps/web body=$(cat .next/analyze/__bundle_analysis_comment.txt) body="${body//'%'/'%25'}" body="${body//$'\n'/'%0A'}" body="${body//$'\r'/'%0D'}" - echo ::set-output name=body::$body + echo "{name}={$body}" >> $GITHUB_OUTPUT - name: Find Comment - uses: peter-evans/find-comment@v1 - if: success() && github.event.number + uses: peter-evans/find-comment@v2 + if: success() id: fc with: issue-number: ${{ github.event.number }} body-includes: "" - name: Create Comment - uses: peter-evans/create-or-update-comment@v1.4.4 + uses: peter-evans/create-or-update-comment@v3 if: success() && github.event.number && steps.fc.outputs.comment-id == 0 with: issue-number: ${{ github.event.number }} body: ${{ steps.get-comment-body.outputs.body }} - name: Update Comment - uses: peter-evans/create-or-update-comment@v1.4.4 + uses: peter-evans/create-or-update-comment@v3 if: success() && github.event.number && steps.fc.outputs.comment-id != 0 with: issue-number: ${{ github.event.number }} diff --git a/apps/api/pages/api/teams/[teamId]/_patch.ts b/apps/api/pages/api/teams/[teamId]/_patch.ts index 93d1a3a46a..e1cfe2a865 100644 --- a/apps/api/pages/api/teams/[teamId]/_patch.ts +++ b/apps/api/pages/api/teams/[teamId]/_patch.ts @@ -64,6 +64,25 @@ export async function patchHandler(req: NextApiRequest) { where: { id: teamId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } }, }); if (!_team) throw new HttpError({ statusCode: 401, message: "Unauthorized: OWNER or ADMIN required" }); + + // Check if parentId is related to this user + if (data.parentId && data.parentId === teamId) { + throw new HttpError({ + statusCode: 400, + message: "Bad request: Parent id cannot be the same as the team id.", + }); + } + if (data.parentId) { + const parentTeam = await prisma.team.findFirst({ + where: { id: data.parentId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } }, + }); + if (!parentTeam) + throw new HttpError({ + statusCode: 401, + message: "Unauthorized: Invalid parent id. You can only use parent id of your own teams.", + }); + } + let paymentUrl; if (_team.slug === null && data.slug) { data.metadata = { diff --git a/apps/api/pages/api/teams/_post.ts b/apps/api/pages/api/teams/_post.ts index 56e0820535..a018ed81d6 100644 --- a/apps/api/pages/api/teams/_post.ts +++ b/apps/api/pages/api/teams/_post.ts @@ -68,6 +68,18 @@ async function postHandler(req: NextApiRequest) { } } + // Check if parentId is related to this user + if (data.parentId) { + const parentTeam = await prisma.team.findFirst({ + where: { id: data.parentId, members: { some: { userId, role: { in: ["OWNER", "ADMIN"] } } } }, + }); + if (!parentTeam) + throw new HttpError({ + statusCode: 401, + message: "Unauthorized: Invalid parent id. You can only use parent id of your own teams.", + }); + } + // TODO: Perhaps there is a better fix for this? const cloneData: typeof data & { metadata: NonNullable | undefined;