mythic-insight/calcom
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 5

Prevent unauthorized update to schedule (#2466)

Browse source
This commit is contained in:
Hariom Balhara 2022-04-12 14:52:29 +05:30 committed by GitHub
parent 4c5ae567e4
commit 31d1bde52a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
apps/web/server/routers/viewer/availability.tsx
View file

@ -191,6 +191,20 @@ export const availabilityRouter = createProtectedRouter()
}); });
} }
// Not able to update the schedule with userId where clause, so fetch schedule separately and then validate
// Bug: https://github.com/prisma/prisma/issues/7290
const userSchedule = await prisma.schedule.findUnique({
where: {
id: input.scheduleId,
},
});
if (!userSchedule || userSchedule.userId !== user.id) {
throw new TRPCError({
code: "UNAUTHORIZED",
});
}
const schedule = await prisma.schedule.update({ const schedule = await prisma.schedule.update({
where: { where: {
id: input.scheduleId, id: input.scheduleId,