fix: backend plan check (#329)

lunary-ai · May 19, 2024 · b7bd3a8 · b7bd3a8
1 parent afdb485
commit b7bd3a8
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 16 deletions.
diff --git a/packages/backend/src/api/v1/template-versions.ts b/packages/backend/src/api/v1/template-versions.ts
@@ -4,6 +4,7 @@ import { Context } from "koa"
 import postgres from "postgres"
 import { unCamelObject } from "@/src/utils/misc"
 import { checkAccess } from "@/src/utils/authorization"
+import { z } from "zod"
 
 const versions = new Router({
   prefix: "/template_versions",
@@ -68,25 +69,46 @@ versions.patch(
   "/:id",
   checkAccess("prompts", "update"),
   async (ctx: Context) => {
-    const { content, extra, testValues, isDraft } = ctx.request.body as {
-      id: string
-      content: any[]
-      extra: any
-      testValues: any
-      isDraft: boolean
-    }
+    const bodySchema = z.object({
+      content: z.array(z.any()),
+      extra: z.any(),
+      testValues: z.any(),
+      isDraft: z.boolean(),
+    })
+
+    const { content, extra, testValues, isDraft } = bodySchema.parse(
+      ctx.request.body,
+    )
 
     const [templateVersion] = await sql`
-    update template_version set
-      content = ${sql.json(content)},
-      extra = ${sql.json(unCamelObject(extra))},
-      test_values = ${sql.json(testValues)},
-      is_draft = ${isDraft}
-    where id = ${ctx.params.id}
-    returning *
-  `
+      select
+        *
+      from
+        template_version tv
+        left join template t on tv.template_id = t.id
+        left join project p on t.project_id = p.id 
+      where
+        tv.id = ${ctx.params.id}
+        and p.org_id = ${ctx.state.orgId}
+    `
+
+    if (!templateVersion) {
+      ctx.throw(401, "You don't have access to this template")
+    }
 
-    ctx.body = templateVersion
+    const [updatedTemplateVersion] = await sql`
+      update template_version 
+      set
+        content = ${sql.json(content)},
+        extra = ${sql.json(unCamelObject(extra))},
+        test_values = ${sql.json(testValues)},
+        is_draft = ${isDraft}
+      where 
+        id = ${ctx.params.id}
+      returning *
+    `
+
+    ctx.body = updatedTemplateVersion
   },
 )
 

diff --git a/packages/backend/src/api/v1/users.ts b/packages/backend/src/api/v1/users.ts
@@ -183,9 +183,21 @@ users.post("/", checkAccess("teamMembers", "create"), async (ctx: Context) => {
     select name, plan from org where id = ${orgId}
   `
 
+  if (
+    role !== "member" &&
+    role !== "admin" &&
+    (org.plan === "free" || org.plan === "pro")
+  ) {
+    ctx.throw(
+      401,
+      "Your plan doesn't allow you to access granular access control.",
+    )
+  }
+
   const [orgUserCountResult] = await sql`
     select count(*) from account where org_id = ${orgId}
   `
+
   const orgUserCount = orgUserCountResult.count
 
   const token = await signJWT({ email, orgId }, FIFTEEN_DAYS)