From 33811f9349ebe95322aab918141cae7fcf97d8e1 Mon Sep 17 00:00:00 2001
From: Matti Nannt <mail@matthiasnannt.com>
Date: Wed, 5 Jul 2023 16:01:45 +0200
Subject: [PATCH] Improve Authorization Checks in Layout (#487)

---
 apps/web/app/environments/[environmentId]/layout.tsx      | 5 +++++
 apps/web/app/environments/[environmentId]/people/page.tsx | 5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/apps/web/app/environments/[environmentId]/layout.tsx b/apps/web/app/environments/[environmentId]/layout.tsx
index 5633cffcb5..5b6b36d636 100644
--- a/apps/web/app/environments/[environmentId]/layout.tsx
+++ b/apps/web/app/environments/[environmentId]/layout.tsx
@@ -6,12 +6,17 @@ import { authOptions } from "@/app/api/auth/[...nextauth]/authOptions";
 import PosthogIdentify from "./PosthogIdentify";
 import FormbricksClient from "../../FormbricksClient";
 import { PosthogClientWrapper } from "../../PosthogClientWrapper";
+import { hasUserEnvironmentAccess } from "@/lib/api/apiHelper";
 
 export default async function EnvironmentLayout({ children, params }) {
   const session = await getServerSession(authOptions);
   if (!session) {
     return redirect(`/auth/login`);
   }
+  const hasAccess = await hasUserEnvironmentAccess(session.user, params.environmentId);
+  if (!hasAccess) {
+    throw new Error("User does not have access to this environment");
+  }
 
   return (
     <>
diff --git a/apps/web/app/environments/[environmentId]/people/page.tsx b/apps/web/app/environments/[environmentId]/people/page.tsx
index b7800835d5..434be75a6a 100644
--- a/apps/web/app/environments/[environmentId]/people/page.tsx
+++ b/apps/web/app/environments/[environmentId]/people/page.tsx
@@ -4,6 +4,7 @@ import EmptySpaceFiller from "@/components/shared/EmptySpaceFiller";
 import { truncateMiddle } from "@/lib/utils";
 import { TransformPersonOutput, getPeople } from "@formbricks/lib/services/person";
 import { PersonAvatar } from "@formbricks/ui";
+import Link from "next/link";
 
 const getAttributeValue = (person: TransformPersonOutput, attributeName: string) =>
   person.attributes[attributeName]?.toString();
@@ -23,7 +24,7 @@ export default async function PeoplePage({ params }) {
             <div className="col-span-2 text-center">Email</div>
           </div>
           {people.map((person) => (
-            <a
+            <Link
               href={`/environments/${params.environmentId}/people/${person.id}`}
               key={person.id}
               className="w-full">
@@ -53,7 +54,7 @@ export default async function PeoplePage({ params }) {
                   <div className="ph-no-capture text-slate-900">{getAttributeValue(person, "email")}</div>
                 </div>
               </div>
-            </a>
+            </Link>
           ))}
         </div>
       )}