fix: refactor booking details api middleware to use team member booking join (#12695)
* refactor booking details api middleware to use team member booking join Signed-off-by: titanventura <aswath7862001@gmail.com> * fix. security issue in previous commit. check for booking against current user. then check for team booking Signed-off-by: titanventura <aswath7862001@gmail.com> --------- Signed-off-by: titanventura <aswath7862001@gmail.com>
This commit is contained in:
parent
90a6fc3f26
commit
c53e891c8a
|
@ -6,18 +6,44 @@ import { schemaQueryIdParseInt } from "~/lib/validations/shared/queryIdTransform
|
||||||
|
|
||||||
async function authMiddleware(req: NextApiRequest) {
|
async function authMiddleware(req: NextApiRequest) {
|
||||||
const { userId, prisma, isAdmin, query } = req;
|
const { userId, prisma, isAdmin, query } = req;
|
||||||
|
if (isAdmin) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
const { id } = schemaQueryIdParseInt.parse(query);
|
const { id } = schemaQueryIdParseInt.parse(query);
|
||||||
const userWithBookings = await prisma.user.findUnique({
|
const userWithBookingsAndTeamIds = await prisma.user.findUnique({
|
||||||
where: { id: userId },
|
where: { id: userId },
|
||||||
include: { bookings: true },
|
include: {
|
||||||
|
bookings: true,
|
||||||
|
teams: {
|
||||||
|
select: {
|
||||||
|
teamId: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
if (!userWithBookings) throw new HttpError({ statusCode: 404, message: "User not found" });
|
if (!userWithBookingsAndTeamIds) throw new HttpError({ statusCode: 404, message: "User not found" });
|
||||||
|
|
||||||
const userBookingIds = userWithBookings.bookings.map((booking) => booking.id);
|
const userBookingIds = userWithBookingsAndTeamIds.bookings.map((booking) => booking.id);
|
||||||
|
|
||||||
if (!isAdmin && !userBookingIds.includes(id)) {
|
if (!userBookingIds.includes(id)) {
|
||||||
throw new HttpError({ statusCode: 401, message: "You are not authorized" });
|
const teamBookings = await prisma.booking.findUnique({
|
||||||
|
where: {
|
||||||
|
id: id,
|
||||||
|
eventType: {
|
||||||
|
team: {
|
||||||
|
id: {
|
||||||
|
in: userWithBookingsAndTeamIds.teams.map((team) => team.teamId),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
});
|
||||||
|
|
||||||
|
if (!teamBookings) {
|
||||||
|
throw new HttpError({ statusCode: 401, message: "You are not authorized" });
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user