Skip to content

Commit

Permalink
feat(events): add permissions check on event creation (#111)
Browse files Browse the repository at this point in the history
  • Loading branch information
stakach authored Sep 9, 2021
1 parent 279e6c5 commit d8bc41a
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 45 deletions.
5 changes: 4 additions & 1 deletion src/controllers/events.cr
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,10 @@ class Events < Application
input_event = PlaceCalendar::Event.from_json(request.body.as(IO))
placeos_client = get_placeos_client

host = input_event.host || user.email
# get_user_calendars returns only calendars where the user has write access
user_email = user.email.downcase
host = input_event.host.try(&.downcase) || user_email
head :forbidden unless host == user_email || get_user_calendars.find { |cal| cal.id.try(&.downcase) == host }

system_id = input_event.system_id || input_event.system.try(&.id)
if system_id
Expand Down
44 changes: 0 additions & 44 deletions src/controllers/utilities/google-helpers.cr

This file was deleted.

0 comments on commit d8bc41a

Please sign in to comment.