Fix update event type authorization (#2588)

apps/web/server/routers/viewer/eventTypes.tsx

@@ -193,6 +193,21 @@ export const eventTypesRouter = createProtectedRouter()
       throw new TRPCError({ code: "UNAUTHORIZED" });
     }
 
+    const inputUsers = (rawInput as any).users || [];
+
+    const isAllowed = (function () {
+      if (event.team) {
+        const allTeamMembers = event.team.members.map((member) => member.userId);
+        return inputUsers.every((userId: string) => allTeamMembers.includes(Number.parseInt(userId)));
+      }
+      return inputUsers.every((userId: string) => Number.parseInt(userId) === ctx.user.id);
+    })();
+
+    if (!isAllowed) {
+      console.warn(`User ${ctx.user.id} attempted to an create an event for users ${inputUsers.join(", ")}.`);
+      throw new TRPCError({ code: "FORBIDDEN" });
+    }
+
     return next();
   })
   .mutation("update", {