gib/GibSend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: enforce contact book ownership (#341)

Browse Source
This commit is contained in:
KM Koushik
2026-01-17 18:08:05 +11:00
committed by GitHub
parent 6786ff003e
commit f40a311cc9
4 changed files with 95 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/server/api/routers/contacts.ts
+30 -4
View File
@@ -1,4 +1,5 @@
import { CampaignStatus, Prisma } from "@prisma/client"; import { CampaignStatus, Prisma } from "@prisma/client";
import { TRPCError } from "@trpc/server";
import { z } from "zod"; import { z } from "zod";
import { import {
@@ -151,15 +152,40 @@ export const contactsRouter = createTRPCRouter({
subscribed: z.boolean().optional(), subscribed: z.boolean().optional(),
}), }),
) )
.mutation(async ({ input }) => { .mutation(async ({ ctx: { contactBook }, input }) => {
const { contactId, ...contact } = input; const { contactId, ...contact } = input;
return contactService.updateContact(contactId, contact); const updatedContact = await contactService.updateContactInContactBook(
contactId,
contactBook.id,
contact,
);
if (!updatedContact) {
throw new TRPCError({
code: "NOT_FOUND",
message: "Contact not found",
});
}
return updatedContact;
}), }),
deleteContact: contactBookProcedure deleteContact: contactBookProcedure
.input(z.object({ contactId: z.string() })) .input(z.object({ contactId: z.string() }))
.mutation(async ({ input }) => { .mutation(async ({ ctx: { contactBook }, input }) => {
return contactService.deleteContact(input.contactId); const deletedContact = await contactService.deleteContactInContactBook(
input.contactId,
contactBook.id,
);
if (!deletedContact) {
throw new TRPCError({
code: "NOT_FOUND",
message: "Contact not found",
});
}
return deletedContact;
}), }),
exportContacts: contactBookProcedure exportContacts: contactBookProcedure
apps/web/src/server/public-api/api/contacts/delete-contact.ts
+14 -4
View File
@@ -1,8 +1,8 @@
import { createRoute, z } from "@hono/zod-openapi"; import { createRoute, z } from "@hono/zod-openapi";
import { PublicAPIApp } from "~/server/public-api/hono"; import { PublicAPIApp } from "~/server/public-api/hono";
import { getTeamFromToken } from "~/server/public-api/auth"; import { deleteContactInContactBook } from "~/server/service/contact-service";
import { deleteContact } from "~/server/service/contact-service";
import { getContactBook } from "../../api-utils"; import { getContactBook } from "../../api-utils";
import { UnsendApiError } from "../../api-error";
const route = createRoute({ const route = createRoute({
method: "delete", method: "delete",
@@ -41,10 +41,20 @@ function deleteContactHandler(app: PublicAPIApp) {
app.openapi(route, async (c) => { app.openapi(route, async (c) => {
const team = c.var.team; const team = c.var.team;
await getContactBook(c, team.id); const contactBook = await getContactBook(c, team.id);
const contactId = c.req.param("contactId"); const contactId = c.req.param("contactId");
await deleteContact(contactId); const deletedContact = await deleteContactInContactBook(
contactId,
contactBook.id,
);
if (!deletedContact) {
throw new UnsendApiError({
code: "NOT_FOUND",
message: "Contact not found",
});
}
return c.json({ success: true }); return c.json({ success: true });
}); });
apps/web/src/server/public-api/api/contacts/update-contact.ts
+15 -4
View File
@@ -1,8 +1,8 @@
import { createRoute, z } from "@hono/zod-openapi"; import { createRoute, z } from "@hono/zod-openapi";
import { PublicAPIApp } from "~/server/public-api/hono"; import { PublicAPIApp } from "~/server/public-api/hono";
import { getTeamFromToken } from "~/server/public-api/auth"; import { updateContactInContactBook } from "~/server/service/contact-service";
import { updateContact } from "~/server/service/contact-service";
import { getContactBook } from "../../api-utils"; import { getContactBook } from "../../api-utils";
import { UnsendApiError } from "../../api-error";
const route = createRoute({ const route = createRoute({
method: "patch", method: "patch",
@@ -54,10 +54,21 @@ function updateContactInfo(app: PublicAPIApp) {
app.openapi(route, async (c) => { app.openapi(route, async (c) => {
const team = c.var.team; const team = c.var.team;
await getContactBook(c, team.id); const contactBook = await getContactBook(c, team.id);
const contactId = c.req.param("contactId"); const contactId = c.req.param("contactId");
const contact = await updateContact(contactId, c.req.valid("json")); const contact = await updateContactInContactBook(
contactId,
contactBook.id,
c.req.valid("json"),
);
if (!contact) {
throw new UnsendApiError({
code: "NOT_FOUND",
message: "Contact not found",
});
}
return c.json({ contactId: contact.id }); return c.json({ contactId: contact.id });
}); });
apps/web/src/server/service/contact-service.ts
+36 -2
View File
@@ -63,10 +63,32 @@ export async function addOrUpdateContact(
return createdContact; return createdContact;
} }
export async function updateContact( export async function getContactInContactBook(
contactId: string, contactId: string,
contactBookId: string,
) {
return db.contact.findFirst({
where: {
id: contactId,
contactBookId,
},
});
}
export async function updateContactInContactBook(
contactId: string,
contactBookId: string,
contact: Partial<ContactInput>, contact: Partial<ContactInput>,
) { ) {
const existingContact = await getContactInContactBook(
contactId,
contactBookId,
);
if (!existingContact) {
return null;
}
return db.contact.update({ return db.contact.update({
where: { where: {
id: contactId, id: contactId,
@@ -75,7 +97,19 @@ export async function updateContact(
}); });
} }
export async function deleteContact(contactId: string) { export async function deleteContactInContactBook(
contactId: string,
contactBookId: string,
) {
const existingContact = await getContactInContactBook(
contactId,
contactBookId,
);
if (!existingContact) {
return null;
}
return db.contact.delete({ return db.contact.delete({
where: { where: {
id: contactId, id: contactId,