From d397120500a519c98c646eea6668727b074f55ce Mon Sep 17 00:00:00 2001
From: CarinaWolli <wollencarina@gmail.com>
Date: Fri, 14 Oct 2022 15:16:38 +0200
Subject: [PATCH] security fixes

---
 packages/trpc/server/routers/viewer/workflows.tsx | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/packages/trpc/server/routers/viewer/workflows.tsx b/packages/trpc/server/routers/viewer/workflows.tsx
index b088ac4450c60..0acd8e9498031 100644
--- a/packages/trpc/server/routers/viewer/workflows.tsx
+++ b/packages/trpc/server/routers/viewer/workflows.tsx
@@ -249,7 +249,12 @@ export const workflowsRouter = createProtectedRouter()
         },
       });
 
-      if (!userWorkflow || userWorkflow.userId !== user.id) throw new TRPCError({ code: "UNAUTHORIZED" });
+      if (
+        !userWorkflow ||
+        userWorkflow.userId !== user.id ||
+        steps.filter((step) => step.workflowId != id).length > 0
+      )
+        throw new TRPCError({ code: "UNAUTHORIZED" });
 
       const oldActiveOnEventTypes = await ctx.prisma.workflowsOnEventTypes.findMany({
         where: {
@@ -290,7 +295,7 @@ export const workflowsRouter = createProtectedRouter()
         if (
           newEventType &&
           newEventType.userId !== user.id &&
-          newEventType?.team?.members.filter((membership) => membership.userId === user.id).length === 0
+          !newEventType?.team?.members.filter((membership) => membership.userId === user.id).length
         ) {
           throw new TRPCError({ code: "UNAUTHORIZED" });
         }
@@ -644,11 +649,7 @@ export const workflowsRouter = createProtectedRouter()
       const addedSteps = steps.map((s) => {
         if (s.id <= 0) {
           const { id: stepId, ...stepToAdd } = s;
-          if (stepToAdd.workflowId === id) {
-            return stepToAdd;
-          } else {
-            throw new TRPCError({ code: "UNAUTHORIZED" });
-          }
+          return stepToAdd;
         }
       });