add validation for teams in the event type creation (#1866)

Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>

apps/web/components/eventtype/CreateEventType.tsx

@@ -84,6 +84,11 @@ export default function CreateEventTypeButton(props: Props) {
         const message = `${err.statusCode}: ${err.message}`;
         showToast(message, "error");
       }
+
+      if (err.data?.code === "UNAUTHORIZED") {
+        const message = `${err.data.code}: You are not able to create this event`;
+        showToast(message, "error");
+      }
     },
   });
 

apps/web/pages/event-types/[type].tsx

@@ -137,6 +137,11 @@ const EventTypePage = (props: inferSSRProps<typeof getServerSideProps>) => {
         const message = `${err.statusCode}: ${err.message}`;
         showToast(message, "error");
       }
+
+      if (err.data?.code === "UNAUTHORIZED") {
+        const message = `${err.data.code}: You are not able to update this event`;
+        showToast(message, "error");
+      }
     },
   });
 

apps/web/server/routers/viewer/eventTypes.tsx

@@ -108,16 +108,32 @@ export const eventTypesRouter = createProtectedRouter()
     input: createEventTypeInput,
     async resolve({ ctx, input }) {
       const { schedulingType, teamId, ...rest } = input;
+
+      const userId = ctx.user.id;
+
       const data: Prisma.EventTypeCreateInput = {
         ...rest,
         users: {
           connect: {
-            id: ctx.user.id,
+            id: userId,
           },
         },
       };
 
       if (teamId && schedulingType) {
+        const hasMembership = await ctx.prisma.membership.findFirst({
+          where: {
+            userId,
+            teamId: teamId,
+            accepted: true,
+          },
+        });
+
+        if (!hasMembership) {
+          console.warn(`User ${userId} does not have permission to create this new event type`);
+          throw new TRPCError({ code: "UNAUTHORIZED" });
+        }
+
         data.team = {
           connect: {
             id: teamId,