feat: authorization in deletePerson action (#1063)

apps/web/app/(app)/environments/[environmentId]/people/[personId]/actions.ts

@@ -1,7 +1,17 @@
 "use server";
 
+import { authOptions } from "@formbricks/lib/authOptions";
+import { getServerSession } from "next-auth";
+import { AuthorizationError } from "@formbricks/types/v1/errors";
 import { deletePerson } from "@formbricks/lib/person/service";
+import { canUserAccessPerson } from "@formbricks/lib/person/auth";
 
 export const deletePersonAction = async (personId: string) => {
+  const session = await getServerSession(authOptions);
+  if (!session) throw new AuthorizationError("Not authorized");
+
+  const isAuthorized = await canUserAccessPerson(session.user.id, personId);
+  if (!isAuthorized) throw new AuthorizationError("Not authorized");
+
   await deletePerson(personId);
 };

packages/lib/person/auth.ts

@@ -0,0 +1,27 @@
+import "server-only";
+
+import { ZId } from "@formbricks/types/v1/environment";
+import { validateInputs } from "../utils/validate";
+import { hasUserEnvironmentAccess } from "../environment/auth";
+import { getPersonCached } from "./service";
+import { unstable_cache } from "next/cache";
+import { SERVICES_REVALIDATION_INTERVAL } from "../constants";
+
+export const canUserAccessPerson = async (userId: string, personId: string): Promise<boolean> =>
+  await unstable_cache(
+    async () => {
+      validateInputs([userId, ZId], [personId, ZId]);
+      if (!userId) return false;
+
+      const person = await getPersonCached(personId);
+      if (!person) return false;
+
+      const hasAccessToEnvironment = await hasUserEnvironmentAccess(userId, person.environmentId);
+      if (!hasAccessToEnvironment) return false;
+
+      return true;
+    },
+
+    [`users-${userId}-persons-${personId}`],
+    { revalidate: SERVICES_REVALIDATION_INTERVAL, tags: [`persons-${personId}`] }
+  )();