maronato/cal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: create event type for a team that you are an owner or admin of (#12564) 

* fix: allow API access to creating a team that you are a member of

* update roles allowed to create event types

* add back comment

* revert yarn.lock

---------

Co-authored-by: Omar López <zomars@me.com>
Co-authored-by: Peer Richelsen <peeroke@gmail.com>
This commit is contained in:
Matt Nicolls 2023-12-14 13:14:12 +01:00 committed by GitHub
parent 60700e1a7a
commit f9dcbaaa42
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apps/api/pages/api/event-types/_post.ts
View File

@ -3,8 +3,10 @@ import type { NextApiRequest } from "next";
import { HttpError } from "@calcom/lib/http-error";
import { defaultResponder } from "@calcom/lib/server";
import { MembershipRole } from "@calcom/prisma/client";
import { schemaEventTypeCreateBodyParams, schemaEventTypeReadPublic } from "~/lib/validations/event-type";
import { canUserAccessTeamWithRole } from "~/pages/api/teams/[teamId]/_auth-middleware";
import checkParentEventOwnership from "./_utils/checkParentEventOwnership";
import checkTeamEventEditPermission from "./_utils/checkTeamEventEditPermission";
@ -316,7 +318,13 @@ async function checkPermissions(req: NextApiRequest) {
statusCode: 401,
message: "ADMIN required for `userId`",
});
if (!isAdmin && body.teamId)
if (
body.teamId &&
!isAdmin &&
!(await canUserAccessTeamWithRole(req.prisma, req.userId, isAdmin, body.teamId, {
in: [MembershipRole.OWNER, MembershipRole.ADMIN],
}))
)
throw new HttpError({
statusCode: 401,
message: "ADMIN required for `teamId`",

10
apps/api/pages/api/teams/[teamId]/_auth-middleware.ts
View File

@ -27,6 +27,16 @@ export async function checkPermissions(
version: req.query.version,
apiKey: req.query.apiKey,
});
return canUserAccessTeamWithRole(prisma, userId, isAdmin, teamId, role);
}
export async function canUserAccessTeamWithRole(
prisma: NextApiRequest["prisma"],
userId: number,
isAdmin: boolean,
teamId: number,
role: Prisma.MembershipWhereInput["role"] = MembershipRole.OWNER
) {
const args: Prisma.TeamFindFirstArgs = { where: { id: teamId } };
/** If not ADMIN then we check if the actual user belongs to team and matches the required role */
if (!isAdmin) args.where = { ...args.where, members: { some: { userId, role } } };