From 31d1bde52a5fdc3e9270301ab6c4ec6289faa002 Mon Sep 17 00:00:00 2001
From: Hariom Balhara <hariombalhara@gmail.com>
Date: Tue, 12 Apr 2022 14:52:29 +0530
Subject: [PATCH] Prevent unauthorized update to schedule (#2466)

---
 apps/web/server/routers/viewer/availability.tsx | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/apps/web/server/routers/viewer/availability.tsx b/apps/web/server/routers/viewer/availability.tsx
index fa79224c..ae16df97 100644
--- a/apps/web/server/routers/viewer/availability.tsx
+++ b/apps/web/server/routers/viewer/availability.tsx
@@ -191,6 +191,20 @@ export const availabilityRouter = createProtectedRouter()
         });
       }
 
+      // Not able to update the schedule with userId where clause, so fetch schedule separately and then validate
+      // Bug: https://github.com/prisma/prisma/issues/7290
+      const userSchedule = await prisma.schedule.findUnique({
+        where: {
+          id: input.scheduleId,
+        },
+      });
+
+      if (!userSchedule || userSchedule.userId !== user.id) {
+        throw new TRPCError({
+          code: "UNAUTHORIZED",
+        });
+      }
+
       const schedule = await prisma.schedule.update({
         where: {
           id: input.scheduleId,