( requestId: string, scheduleId: string, userId: string, action: 'read' | 'write' )
| 30 | type ScheduleRow = typeof workflowSchedule.$inferSelect |
| 31 | |
| 32 | async function fetchAndAuthorize( |
| 33 | requestId: string, |
| 34 | scheduleId: string, |
| 35 | userId: string, |
| 36 | action: 'read' | 'write' |
| 37 | ): Promise<{ schedule: ScheduleRow; workspaceId: string | null } | NextResponse> { |
| 38 | const [schedule] = await db |
| 39 | .select() |
| 40 | .from(workflowSchedule) |
| 41 | .where(and(eq(workflowSchedule.id, scheduleId), isNull(workflowSchedule.archivedAt))) |
| 42 | .limit(1) |
| 43 | |
| 44 | if (!schedule) { |
| 45 | logger.warn(`[${requestId}] Schedule not found: ${scheduleId}`) |
| 46 | return NextResponse.json({ error: 'Schedule not found' }, { status: 404 }) |
| 47 | } |
| 48 | |
| 49 | if (schedule.sourceType === 'job') { |
| 50 | if (!schedule.sourceWorkspaceId) { |
| 51 | return NextResponse.json({ error: 'Job has no workspace' }, { status: 400 }) |
| 52 | } |
| 53 | const permission = await verifyWorkspaceMembership(userId, schedule.sourceWorkspaceId) |
| 54 | const canWrite = permission === 'admin' || permission === 'write' |
| 55 | if (!permission || (action === 'write' && !canWrite)) { |
| 56 | return NextResponse.json({ error: 'Not authorized' }, { status: 403 }) |
| 57 | } |
| 58 | return { schedule, workspaceId: schedule.sourceWorkspaceId } |
| 59 | } |
| 60 | |
| 61 | if (!schedule.workflowId) { |
| 62 | logger.warn(`[${requestId}] Schedule has no workflow: ${scheduleId}`) |
| 63 | return NextResponse.json({ error: 'Schedule has no associated workflow' }, { status: 400 }) |
| 64 | } |
| 65 | |
| 66 | const authorization = await authorizeWorkflowByWorkspacePermission({ |
| 67 | workflowId: schedule.workflowId, |
| 68 | userId, |
| 69 | action, |
| 70 | }) |
| 71 | |
| 72 | if (!authorization.workflow) { |
| 73 | logger.warn(`[${requestId}] Workflow not found for schedule: ${scheduleId}`) |
| 74 | return NextResponse.json({ error: 'Workflow not found' }, { status: 404 }) |
| 75 | } |
| 76 | |
| 77 | if (!authorization.allowed) { |
| 78 | logger.warn(`[${requestId}] User not authorized to modify schedule: ${scheduleId}`) |
| 79 | return NextResponse.json( |
| 80 | { error: authorization.message || 'Not authorized to modify this schedule' }, |
| 81 | { status: authorization.status } |
| 82 | ) |
| 83 | } |
| 84 | |
| 85 | return { schedule, workspaceId: authorization.workflow.workspaceId ?? null } |
| 86 | } |
| 87 | |
| 88 | export const GET = withRouteHandler( |
| 89 | async (request: NextRequest, context: { params: Promise<{ id: string }> }) => { |
no test coverage detected