From 1c2998fc13b394766c81129df62dedddb9776c8a Mon Sep 17 00:00:00 2001
From: Chris <76668588+bytesbuffer@users.noreply.github.com>
Date: Wed, 22 Sep 2021 06:43:32 -0400
Subject: [PATCH] =?UTF-8?q?Ensure=20users=20cannot=20delete=20teams=20they?=
 =?UTF-8?q?=20don=E2=80=99t=20own=20(#720)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Bailey Pumfleet <pumfleet@hey.com>
---
 pages/api/teams/[team]/index.ts | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/pages/api/teams/[team]/index.ts b/pages/api/teams/[team]/index.ts
index 33f16ef3..396e3c8f 100644
--- a/pages/api/teams/[team]/index.ts
+++ b/pages/api/teams/[team]/index.ts
@@ -1,5 +1,5 @@
 import type { NextApiRequest, NextApiResponse } from "next";
-import prisma from "../../../../lib/prisma";
+import prisma from "@lib/prisma";
 import { getSession } from "@lib/auth";
 
 export default async function handler(req: NextApiRequest, res: NextApiResponse) {
@@ -10,6 +10,23 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
 
   // DELETE /api/teams/{team}
   if (req.method === "DELETE") {
+    if (!session.user?.id) {
+      console.log("Received session token without a user id.");
+      return res.status(500).json({ message: "Something went wrong." });
+    }
+
+    const membership = await prisma.membership.findFirst({
+      where: {
+        userId: session.user.id,
+        teamId: parseInt(req.query.team as string),
+      },
+    });
+
+    if (!membership || membership.role !== "OWNER") {
+      console.log(`User ${session.user.id} tried deleting an organization they don't own.`);
+      return res.status(403).json({ message: "Forbidden." });
+    }
+
     await prisma.membership.delete({
       where: {
         userId_teamId: { userId: session.user.id, teamId: parseInt(req.query.team) },