diff --git a/apps/web/components/editor/pdf-signer.tsx b/apps/web/components/editor/pdf-signer.tsx index a7988e7e9..da0f0180d 100644 --- a/apps/web/components/editor/pdf-signer.tsx +++ b/apps/web/components/editor/pdf-signer.tsx @@ -173,7 +173,11 @@ export default function PDFSigner(props: any) { FieldType.FREE_SIGNATURE ); - createOrUpdateField(props.document, freeSignatureField).then((res) => { + createOrUpdateField( + props.document, + freeSignatureField, + recipient.token + ).then((res) => { setFields(fields.concat(res)); setDialogField(res); setOpen(true); diff --git a/apps/web/pages/api/documents/[id]/fields/index.ts b/apps/web/pages/api/documents/[id]/fields/index.ts index 9aa2366d1..861b4c672 100644 --- a/apps/web/pages/api/documents/[id]/fields/index.ts +++ b/apps/web/pages/api/documents/[id]/fields/index.ts @@ -36,8 +36,10 @@ async function getHandler(req: NextApiRequest, res: NextApiResponse) { } async function postHandler(req: NextApiRequest, res: NextApiResponse) { - const user = await getUserFromToken(req, res); - const { id: documentId } = req.query; + const { token: recipientToken } = req.query; + let user = null; + if (!recipientToken) user = await getUserFromToken(req, res); + if (!user && !recipientToken) return res.status(401).end(); const body: { id: number; type: FieldType; @@ -48,18 +50,30 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) { customText: string; } = req.body; - if (!user) return; - + const { id: documentId } = req.query; if (!documentId) { - res.status(400).send("Missing parameter documentId."); - return; + return res.status(400).send("Missing parameter documentId."); } - const document: PrismaDocument = await getDocument(+documentId, req, res); + if (recipientToken) { + const recipient = await prisma.recipient.findFirst({ + where: { token: recipientToken?.toString() }, + }); - // todo entity ownerships checks - if (document.userId !== user.id) { - return res.status(401).send("User does not have access to this document."); + if (!recipient || recipient?.documentId !== +documentId) + return res + .status(401) + .send("Recipient does not have access to this document."); + } + + if (user) { + const document: PrismaDocument = await getDocument(+documentId, req, res); + // todo entity ownerships checks + if (document.userId !== user.id) { + return res + .status(401) + .send("User does not have access to this document."); + } } const field = await prisma.field.upsert({ diff --git a/packages/lib/api/createOrUpdateField.ts b/packages/lib/api/createOrUpdateField.ts index 08ad993f5..62cccb3ce 100644 --- a/packages/lib/api/createOrUpdateField.ts +++ b/packages/lib/api/createOrUpdateField.ts @@ -2,11 +2,12 @@ import toast from "react-hot-toast"; export const createOrUpdateField = async ( document: any, - field: any + field: any, + recipientToken: string = "" ): Promise => { try { const created = await toast.promise( - fetch("/api/documents/" + document.id + "/fields", { + fetch("/api/documents/" + document.id + "/fields?token=" + recipientToken, { method: "POST", headers: { "Content-Type": "application/json",