restrict write operstion only

Author: anikdhabal

apps/api/v2/src/modules/teams/teams/teams.repository.ts

@@ -2,7 +2,7 @@ import { PrismaReadService } from "@/modules/prisma/prisma-read.service";
 import { PrismaWriteService } from "@/modules/prisma/prisma-write.service";
 import { Injectable, NotFoundException } from "@nestjs/common";
 
-import { teamMetadataSchema } from "@calcom/platform-libraries";
+import { teamMetadataStrictSchema } from "@calcom/platform-libraries";
 import { Prisma } from "@calcom/prisma/client";
 
 @Injectable()
@@ -87,7 +87,7 @@ export class TeamsRepository {
 
   async setDefaultConferencingApp(teamId: number, appSlug?: string, appLink?: string) {
     const team = await this.getById(teamId);
-    const teamMetadata = teamMetadataSchema.parse(team?.metadata);
+    const teamMetadata = teamMetadataStrictSchema.parse(team?.metadata);
 
     if (!team) {
       throw new NotFoundException("user not found");

apps/web/app/api/teams/[team]/upgrade/route.ts

@@ -12,7 +12,7 @@ import stripe from "@calcom/features/ee/payments/server/stripe";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import { HttpError } from "@calcom/lib/http-error";
 import prisma from "@calcom/prisma";
-import { teamMetadataSchema } from "@calcom/prisma/zod-utils";
+import { teamMetadataStrictSchema } from "@calcom/prisma/zod-utils";
 
 import { buildLegacyRequest } from "@lib/buildLegacyCtx";
 
@@ -50,7 +50,7 @@ async function getHandler(req: NextRequest, { params }: { params: Promise<Params
     if (!team) {
       const prevTeam = await prisma.team.findFirstOrThrow({ where: { id } });
 
-      metadata = teamMetadataSchema.safeParse(prevTeam.metadata);
+      metadata = teamMetadataStrictSchema.safeParse(prevTeam.metadata);
       if (!metadata.success) {
         throw new HttpError({ statusCode: 400, message: "Invalid team metadata" });
       }
@@ -80,7 +80,7 @@ async function getHandler(req: NextRequest, { params }: { params: Promise<Params
     }
 
     if (!metadata) {
-      metadata = teamMetadataSchema.safeParse(team.metadata);
+      metadata = teamMetadataStrictSchema.safeParse(team.metadata);
       if (!metadata.success) {
         throw new HttpError({ statusCode: 400, message: "Invalid team metadata" });
       }

apps/web/playwright/lib/orgMigration.ts

@@ -9,7 +9,7 @@ import type { Team, User } from "@calcom/prisma/client";
 import { RedirectType } from "@calcom/prisma/client";
 import { Prisma } from "@calcom/prisma/client";
 import type { MembershipRole } from "@calcom/prisma/enums";
-import { teamMetadataSchema } from "@calcom/prisma/zod-utils";
+import { teamMetadataSchema, teamMetadataStrictSchema } from "@calcom/prisma/zod-utils";
 
 const log = logger.getSubLogger({ prefix: ["orgMigration"] });
 
@@ -588,7 +588,7 @@ async function dbRemoveTeamFromOrg({ teamId }: { teamId: number }) {
     });
   }
 
-  const teamMetadata = teamMetadataSchema.parse(team?.metadata);
+  const teamMetadata = teamMetadataStrictSchema.parse(team?.metadata);
   try {
     return await prisma.team.update({
       where: {

packages/features/ee/billing/teams/internal-team-billing.ts

@@ -10,14 +10,14 @@ import { Redirect } from "@calcom/lib/redirect";
 import { safeStringify } from "@calcom/lib/safeStringify";
 import { OrganizationOnboardingRepository } from "@calcom/lib/server/repository/organizationOnboarding";
 import prisma from "@calcom/prisma";
-import { teamMetadataSchema } from "@calcom/prisma/zod-utils";
+import { teamMetadataStrictSchema } from "@calcom/prisma/zod-utils";
 
 import billing from "..";
 import { TeamBillingPublishResponseStatus, type TeamBilling, type TeamBillingInput } from "./team-billing";
 
 const log = logger.getSubLogger({ prefix: ["TeamBilling"] });
 
-const teamPaymentMetadataSchema = teamMetadataSchema.unwrap();
+const teamPaymentMetadataSchema = teamMetadataStrictSchema.unwrap();
 
 export class InternalTeamBilling implements TeamBilling {
   private _team!: Omit<TeamBillingInput, "metadata"> & {

packages/features/ee/organizations/lib/server/createOrganizationFromOnboarding.ts

@@ -30,7 +30,7 @@ import {
   orgOnboardingInvitedMembersSchema,
   orgOnboardingTeamsSchema,
 } from "@calcom/prisma/zod-utils";
-import { teamMetadataSchema } from "@calcom/prisma/zod-utils";
+import { teamMetadataStrictSchema } from "@calcom/prisma/zod-utils";
 import { createTeamsHandler } from "@calcom/trpc/server/routers/viewer/organizations/createTeams.handler";
 import { inviteMembersWithNoInviterPermissionCheck } from "@calcom/trpc/server/routers/viewer/teams/inviteMember/inviteMember.handler";
 
@@ -344,7 +344,7 @@ async function backwardCompatibilityForSubscriptionDetails({
     return organization;
   }
 
-  const existingMetadata = teamMetadataSchema.parse(organization.metadata);
+  const existingMetadata = teamMetadataStrictSchema.parse(organization.metadata);
   const updatedOrganization = await OrganizationRepository.updateStripeSubscriptionDetails({
     id: organization.id,
     stripeSubscriptionId: paymentSubscriptionId,

packages/features/ee/teams/lib/payments.test.ts

@@ -338,8 +338,8 @@ describe("updateQuantitySubscriptionFromStripe", () => {
   describe("For an organization", () => {
     it("should not update subscription when team members are less than metadata.orgSeats", async () => {
       const FAKE_PAYMENT_ID = "FAKE_PAYMENT_ID";
-      const FAKE_SUBITEM_ID = "si_FAKE_SUBITEM_ID";
-      const FAKE_SUB_ID = "sub_FAKE_SUB_ID";
+      const FAKE_SUBITEM_ID = "FAKE_SUBITEM_ID";
+      const FAKE_SUB_ID = "FAKE_SUB_ID";
       const FAKE_SUBSCRIPTION_QTY_IN_STRIPE = 1000;
       const consoleInfoSpy = vi.spyOn(console, "info");
 
@@ -363,7 +363,7 @@ describe("updateQuantitySubscriptionFromStripe", () => {
           items: {
             data: [
               {
-                id: FAKE_SUBITEM_ID,
+                id: "FAKE_SUBITEM_ID",
                 quantity: FAKE_SUBSCRIPTION_QTY_IN_STRIPE,
               },
             ],
@@ -384,8 +384,8 @@ describe("updateQuantitySubscriptionFromStripe", () => {
 
     it("should update subscription when team members are more than metadata.orgSeats", async () => {
       const FAKE_PAYMENT_ID = "FAKE_PAYMENT_ID";
-      const FAKE_SUBITEM_ID = "si_FAKE_SUBITEM_ID";
-      const FAKE_SUB_ID = "sub_FAKE_SUB_ID";
+      const FAKE_SUB_ID = "FAKE_SUB_ID";
+      const FAKE_SUBITEM_ID = "FAKE_SUBITEM_ID";
       const FAKE_SUBSCRIPTION_QTY_IN_STRIPE = 1000;
       const membersInTeam = 4;
       const organization = await createOrgWithMembersAndPaymentData({
@@ -434,8 +434,8 @@ describe("updateQuantitySubscriptionFromStripe", () => {
 
     it("should not update subscription when team members are less than MINIMUM_NUMBER_OF_ORG_SEATS(if metadata.orgSeats is null)", async () => {
       const FAKE_PAYMENT_ID = "FAKE_PAYMENT_ID";
-      const FAKE_SUBITEM_ID = "si_FAKE_SUBITEM_ID";
-      const FAKE_SUB_ID = "sub_FAKE_SUB_ID";
+      const FAKE_SUBITEM_ID = "FAKE_SUBITEM_ID";
+      const FAKE_SUB_ID = "FAKE_SUB_ID";
       const FAKE_SUBSCRIPTION_QTY_IN_STRIPE = 1000;
       const membersInTeam = 2;
       const consoleInfoSpy = vi.spyOn(console, "info");
@@ -453,7 +453,7 @@ describe("updateQuantitySubscriptionFromStripe", () => {
           items: {
             data: [
               {
-                id: FAKE_SUBITEM_ID,
+                id: "FAKE_SUBITEM_ID",
                 quantity: FAKE_SUBSCRIPTION_QTY_IN_STRIPE,
               },
             ],
@@ -480,8 +480,8 @@ describe("updateQuantitySubscriptionFromStripe", () => {
 
     it("should update subscription when team members are more than MINIMUM_NUMBER_OF_ORG_SEATS(if metadata.orgSeats is null)", async () => {
       const FAKE_PAYMENT_ID = "FAKE_PAYMENT_ID";
-      const FAKE_SUBITEM_ID = "si_FAKE_SUBITEM_ID";
-      const FAKE_SUB_ID = "sub_FAKE_SUB_ID";
+      const FAKE_SUB_ID = "FAKE_SUB_ID";
+      const FAKE_SUBITEM_ID = "FAKE_SUBITEM_ID";
       const FAKE_SUBSCRIPTION_QTY_IN_STRIPE = 1000;
       const membersInTeam = 35;
       const organization = await createOrgWithMembersAndPaymentData({
@@ -537,8 +537,8 @@ describe("getTeamWithPaymentMetadata", () => {
         isOrganization: true,
         name: "TestTeam",
         metadata: {
-          subscriptionId: "sub_FAKE_SUB_ID",
-          subscriptionItemId: "si_FAKE_SUB_ITEM_ID",
+          subscriptionId: "FAKE_SUB_ID",
+          subscriptionItemId: "FAKE_SUB_ITEM_ID",
         },
       },
     });
@@ -552,7 +552,7 @@ describe("getTeamWithPaymentMetadata", () => {
         name: "TestTeam",
         metadata: {
           paymentId: "FAKE_PAY_ID",
-          subscriptionItemId: "si_FAKE_SUB_ITEM_ID",
+          subscriptionItemId: "FAKE_SUB_ITEM_ID",
         },
       },
     });
@@ -566,7 +566,7 @@ describe("getTeamWithPaymentMetadata", () => {
         name: "TestTeam",
         metadata: {
           paymentId: "FAKE_PAY_ID",
-          subscriptionId: "sub_FAKE_SUB_ID",
+          subscriptionId: "FAKE_SUB_ID",
         },
       },
     });
@@ -580,8 +580,8 @@ describe("getTeamWithPaymentMetadata", () => {
         name: "TestTeam",
         metadata: {
           paymentId: "FAKE_PAY_ID",
-          subscriptionId: "sub_FAKE_SUB_ID",
-          subscriptionItemId: "si_FAKE_SUB_ITEM_ID",
+          subscriptionId: "FAKE_SUB_ID",
+          subscriptionItemId: "FAKE_SUB_ITEM_ID",
         },
       },
     });
@@ -597,65 +597,14 @@ describe("getTeamWithPaymentMetadata", () => {
         metadata: {
           orgSeats: 5,
           paymentId: "FAKE_PAY_ID",
-          subscriptionId: "sub_FAKE_SUB_ID",
-          subscriptionItemId: "si_FAKE_SUB_ITEM_ID",
+          subscriptionId: "FAKE_SUB_ID",
+          subscriptionItemId: "FAKE_SUB_ITEM_ID",
         },
       },
     });
     const teamWithPaymentData = await getTeamWithPaymentMetadata(team.id);
     expect(teamWithPaymentData.metadata.orgSeats).toEqual(5);
   });
-
-  it("should error if subscriptionId doesn't start with 'sub_'", async () => {
-    const team = await prismock.team.create({
-      data: {
-        isOrganization: true,
-        name: "TestTeam",
-        metadata: {
-          paymentId: "FAKE_PAY_ID",
-          subscriptionId: "invalid_sub_id",
-          subscriptionItemId: "si_FAKE_SUB_ITEM_ID",
-        },
-      },
-    });
-    expect(() => getTeamWithPaymentMetadata(team.id)).rejects.toThrow(
-      "subscriptionId must start with 'sub_'"
-    );
-  });
-
-  it("should error if subscriptionItemId doesn't start with 'si_'", async () => {
-    const team = await prismock.team.create({
-      data: {
-        isOrganization: true,
-        name: "TestTeam",
-        metadata: {
-          paymentId: "FAKE_PAY_ID",
-          subscriptionId: "sub_FAKE_SUB_ID",
-          subscriptionItemId: "invalid_item_id",
-        },
-      },
-    });
-    expect(() => getTeamWithPaymentMetadata(team.id)).rejects.toThrow(
-      "subscriptionItemId must start with 'si_'"
-    );
-  });
-
-  it("should parse successfully with valid prefixes", async () => {
-    const team = await prismock.team.create({
-      data: {
-        isOrganization: true,
-        name: "TestTeam",
-        metadata: {
-          paymentId: "FAKE_PAY_ID",
-          subscriptionId: "sub_FAKE_SUB_ID",
-          subscriptionItemId: "si_FAKE_SUB_ITEM_ID",
-        },
-      },
-    });
-    const teamWithPaymentData = await getTeamWithPaymentMetadata(team.id);
-    expect(teamWithPaymentData.metadata.subscriptionId).toEqual("sub_FAKE_SUB_ID");
-    expect(teamWithPaymentData.metadata.subscriptionItemId).toEqual("si_FAKE_SUB_ITEM_ID");
-  });
 });
 
 async function createOrgWithMembersAndPaymentData({

packages/features/ee/teams/lib/payments.ts

@@ -21,8 +21,8 @@ const log = logger.getSubLogger({ prefix: ["teams/lib/payments"] });
 const teamPaymentMetadataSchema = z.object({
   // Redefine paymentId, subscriptionId and subscriptionItemId to ensure that they are present and nonNullable
   paymentId: z.string(),
-  subscriptionId: z.string().startsWith("sub_", "subscriptionId must start with 'sub_'"),
-  subscriptionItemId: z.string().startsWith("si_", "subscriptionItemId must start with 'si_'"),
+  subscriptionId: z.string(),
+  subscriptionItemId: z.string(),
   orgSeats: teamMetadataSchema.unwrap().shape.orgSeats,
 });
 

packages/lib/server/repository/organization.ts

@@ -6,6 +6,7 @@ import { safeStringify } from "@calcom/lib/safeStringify";
 import { prisma } from "@calcom/prisma";
 import { MembershipRole } from "@calcom/prisma/enums";
 import type { CreationSource } from "@calcom/prisma/enums";
+import type { teamMetadataStrictSchema } from "@calcom/prisma/zod-utils";
 import { teamMetadataSchema } from "@calcom/prisma/zod-utils";
 
 import { createAProfileForAnExistingUser } from "../../createAProfileForAnExistingUser";
@@ -448,7 +449,7 @@ export class OrganizationRepository {
     id: number;
     stripeSubscriptionId: string;
     stripeSubscriptionItemId: string;
-    existingMetadata: z.infer<typeof teamMetadataSchema>;
+    existingMetadata: z.infer<typeof teamMetadataStrictSchema>;
   }) {
     return await prisma.team.update({
       where: { id, isOrganization: true },

packages/prisma/zod-utils.ts

@@ -372,11 +372,29 @@ export enum BillingPeriod {
   ANNUALLY = "ANNUALLY",
 }
 
-export const teamMetadataSchema = z
-  .object({
-    defaultConferencingApp: schemaDefaultConferencingApp.optional(),
-    requestedSlug: z.string().or(z.null()),
-    paymentId: z.string(),
+const baseTeamMetadataSchema = z.object({
+  defaultConferencingApp: schemaDefaultConferencingApp.optional(),
+  requestedSlug: z.string().or(z.null()),
+  paymentId: z.string(),
+  subscriptionId: z.string().nullable(),
+  subscriptionItemId: z.string().nullable(),
+  orgSeats: z.number().nullable(),
+  orgPricePerSeat: z.number().nullable(),
+  migratedToOrgFrom: z
+    .object({
+      teamSlug: z.string().or(z.null()).optional(),
+      lastMigrationTime: z.string().optional(),
+      reverted: z.boolean().optional(),
+      lastRevertTime: z.string().optional(),
+    })
+    .optional(),
+  billingPeriod: z.nativeEnum(BillingPeriod).optional(),
+});
+
+export const teamMetadataSchema = baseTeamMetadataSchema.partial().nullable();
+
+export const teamMetadataStrictSchema = baseTeamMetadataSchema
+  .extend({
     subscriptionId: z
       .string()
       .refine((val) => val.startsWith("sub_"), {
@@ -389,17 +407,6 @@ export const teamMetadataSchema = z
         message: "subscriptionItemId must start with 'si_'",
       })
       .nullable(),
-    orgSeats: z.number().nullable(),
-    orgPricePerSeat: z.number().nullable(),
-    migratedToOrgFrom: z
-      .object({
-        teamSlug: z.string().or(z.null()).optional(),
-        lastMigrationTime: z.string().optional(),
-        reverted: z.boolean().optional(),
-        lastRevertTime: z.string().optional(),
-      })
-      .optional(),
-    billingPeriod: z.nativeEnum(BillingPeriod).optional(),
   })
   .partial()
   .nullable();

packages/trpc/server/routers/viewer/organizations/adminUpdate.handler.ts

@@ -4,7 +4,7 @@ import { renameDomain } from "@calcom/lib/domainManager/organization";
 import { getMetadataHelpers } from "@calcom/lib/getMetadataHelpers";
 import { HttpError } from "@calcom/lib/http-error";
 import { prisma } from "@calcom/prisma";
-import { teamMetadataSchema } from "@calcom/prisma/zod-utils";
+import { teamMetadataStrictSchema } from "@calcom/prisma/zod-utils";
 
 import type { TrpcSessionUser } from "../../../types";
 import type { TAdminUpdate } from "./adminUpdate.schema";
@@ -34,7 +34,7 @@ export const adminUpdateHandler = async ({ input }: AdminUpdateOptions) => {
     });
   }
 
-  const { mergeMetadata } = getMetadataHelpers(teamMetadataSchema.unwrap(), existingOrg.metadata || {});
+  const { mergeMetadata } = getMetadataHelpers(teamMetadataStrictSchema.unwrap(), existingOrg.metadata || {});
 
   const data: Prisma.TeamUpdateArgs["data"] = restInput;