From 942bb8f114a686a06f7873f2f22b217632c4506f Mon Sep 17 00:00:00 2001
From: Dolu <doludev@protonmail.com>
Date: Sun, 25 Sep 2022 17:09:01 +0200
Subject: [PATCH] fix: add verification that current user is a member of the
 project

---
 api/functions/graphql/types/project.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/api/functions/graphql/types/project.js b/api/functions/graphql/types/project.js
index 42d56be..ef7bf46 100644
--- a/api/functions/graphql/types/project.js
+++ b/api/functions/graphql/types/project.js
@@ -766,7 +766,12 @@ const updateProject = extendType({
                     },
                 })
 
-                // Maker can't project info
+                // Verifying current user is a member
+                if (!project.members.some((m) => m.userId === user.id)) {
+                    throw new ApolloError("You don't have permission to update this project")
+                }
+
+                // Maker can't change project info
                 if (project.members.find((m) => m.userId === user.id)?.role === ROLE_MAKER) {
                     throw new ApolloError("Makers can't change project info")
                 }