Fix update event type authorization (#2588)

2022-04-25 02:32:04 +05:30 · 2022-04-25 02:32:04 +05:30 · 53d7e57142
commit 53d7e57142
parent 2c4a891a89
1 changed files with 15 additions and 0 deletions
--- a/apps/web/server/routers/viewer/eventTypes.tsx
+++ b/apps/web/server/routers/viewer/eventTypes.tsx
@ -193,6 +193,21 @@ export const eventTypesRouter = createProtectedRouter()
      throw new TRPCError({ code: "UNAUTHORIZED" });
    }

+    const inputUsers = (rawInput as any).users || [];
+
+    const isAllowed = (function () {
+      if (event.team) {
+        const allTeamMembers = event.team.members.map((member) => member.userId);
+        return inputUsers.every((userId: string) => allTeamMembers.includes(Number.parseInt(userId)));
+      }
+      return inputUsers.every((userId: string) => Number.parseInt(userId) === ctx.user.id);
+    })();
+
+    if (!isAllowed) {
+      console.warn(`User ${ctx.user.id} attempted to an create an event for users ${inputUsers.join(", ")}.`);
+      throw new TRPCError({ code: "FORBIDDEN" });
+    }
+
    return next();
  })
  .mutation("update", {