wip

2024-09-03 21:17:40 +02:00
parent 4cdfe3aed2
commit 8e06bacdb0
13 changed files with 326 additions and 54 deletions
--- a/packages/trpc/src/routers/report.ts
+++ b/packages/trpc/src/routers/report.ts
@@ -3,6 +3,8 @@ import { z } from 'zod';
 import { db } from '@openpanel/db';
 import { zReportInput } from '@openpanel/validation';

+import { getProjectAccess } from '../access';
+import { TRPCAccessError } from '../errors';
 import { createTRPCRouter, protectedProcedure } from '../trpc';

 export const reportRouter = createTRPCRouter({
@@ -13,12 +15,22 @@ export const reportRouter = createTRPCRouter({
        dashboardId: z.string(),
      })
    )
-    .mutation(async ({ input: { report, dashboardId } }) => {
+    .mutation(async ({ input: { report, dashboardId }, ctx }) => {
      const dashboard = await db.dashboard.findUniqueOrThrow({
        where: {
          id: dashboardId,
        },
      });
+
+      const access = await getProjectAccess({
+        userId: ctx.session.userId,
+        projectId: dashboard.projectId,
+      });
+
+      if (!access) {
+        throw TRPCAccessError('You do not have access to this project');
+      }
+
      return db.report.create({
        data: {
          projectId: dashboard.projectId,
@@ -42,7 +54,22 @@ export const reportRouter = createTRPCRouter({
        report: zReportInput.omit({ projectId: true }),
      })
    )
-    .mutation(({ input: { report, reportId } }) => {
+    .mutation(async ({ input: { report, reportId }, ctx }) => {
+      const dbReport = await db.report.findUniqueOrThrow({
+        where: {
+          id: reportId,
+        },
+      });
+
+      const access = await getProjectAccess({
+        userId: ctx.session.userId,
+        projectId: dbReport.projectId,
+      });
+
+      if (!access) {
+        throw TRPCAccessError('You do not have access to this project');
+      }
+
      return db.report.update({
        where: {
          id: reportId,
@@ -66,7 +93,22 @@ export const reportRouter = createTRPCRouter({
        reportId: z.string(),
      })
    )
-    .mutation(({ input: { reportId } }) => {
+    .mutation(async ({ input: { reportId }, ctx }) => {
+      const report = await db.report.findUniqueOrThrow({
+        where: {
+          id: reportId,
+        },
+      });
+
+      const access = await getProjectAccess({
+        userId: ctx.session.userId,
+        projectId: report.projectId,
+      });
+
+      if (!access) {
+        throw TRPCAccessError('You do not have access to this project');
+      }
+
      return db.report.delete({
        where: {
          id: reportId,