fix: refactor booking details api middleware to use team member booking join (#12695)

* refactor booking details api middleware to use team member booking join Signed-off-by: titanventura <aswath7862001@gmail.com> * fix. security issue in previous commit. check for booking against current user. then check for team booking Signed-off-by: titanventura <aswath7862001@gmail.com> --------- Signed-off-by: titanventura <aswath7862001@gmail.com>
2023-12-08 04:13:51 +05:30 · 2023-12-08 04:13:51 +05:30 · c53e891c8a
parent 90a6fc3f26
commit c53e891c8a
1 changed files with 32 additions and 6 deletions
--- a/apps/api/pages/api/bookings/[id]/_auth-middleware.ts
+++ b/apps/api/pages/api/bookings/[id]/_auth-middleware.ts
@ -6,18 +6,44 @@ import { schemaQueryIdParseInt } from "~/lib/validations/shared/queryIdTransform

 async function authMiddleware(req: NextApiRequest) {
  const { userId, prisma, isAdmin, query } = req;
+  if (isAdmin) {
+    return;
+  }
+
  const { id } = schemaQueryIdParseInt.parse(query);
-  const userWithBookings = await prisma.user.findUnique({
+  const userWithBookingsAndTeamIds = await prisma.user.findUnique({
    where: { id: userId },
-    include: { bookings: true },
+    include: {
+      bookings: true,
+      teams: {
+        select: {
+          teamId: true,
+        },
+      },
+    },
  });

-  if (!userWithBookings) throw new HttpError({ statusCode: 404, message: "User not found" });
+  if (!userWithBookingsAndTeamIds) throw new HttpError({ statusCode: 404, message: "User not found" });

-  const userBookingIds = userWithBookings.bookings.map((booking) => booking.id);
+  const userBookingIds = userWithBookingsAndTeamIds.bookings.map((booking) => booking.id);

-  if (!isAdmin && !userBookingIds.includes(id)) {
-    throw new HttpError({ statusCode: 401, message: "You are not authorized" });
+  if (!userBookingIds.includes(id)) {
+    const teamBookings = await prisma.booking.findUnique({
+      where: {
+        id: id,
+        eventType: {
+          team: {
+            id: {
+              in: userWithBookingsAndTeamIds.teams.map((team) => team.teamId),
+            },
+          },
+        },
+      },
+    });
+
+    if (!teamBookings) {
+      throw new HttpError({ statusCode: 401, message: "You are not authorized" });
+    }
  }
 }