removed userId from body of updateSettings api cal

src/app/api/portfolio/[portfolioId]/route.ts

@@ -14,6 +14,7 @@ import {
   property,
 } from "@/app/db/schema/property";
 import { eq, inArray } from "drizzle-orm";
+import { z } from "zod";
 
 export async function PUT(
   request: NextRequest,
@@ -22,12 +23,6 @@ export async function PUT(
   const body = await request.json();
   const portfolioId = params.portfolioId;
 
-  // We'll eventually veryify the user is authorized to update this portfolio
-  const userId = body.userId;
-
-  delete body.userId;
-
-  // Update the database
   await db
     .update(portfolio)
     .set(body)

src/app/portfolio/[slug]/(portfolio)/settings/PortfolioSettings.tsx

@@ -69,7 +69,6 @@ type updateSettingsArgs = {
 };
 
 type bodyType = {
-  userId: string;
   name?: string;
   budget?: number | string;
   goal?: string;
@@ -84,14 +83,33 @@ const updateSettings = async ({
   goal,
   status,
 }: updateSettingsArgs) => {
+  const permissionsReponse = await fetch(
+    `/api/portfolio/${portfolioId}/permissions`,
+    {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        userId: userId.toString(),
+        action: "update",
+      }),
+    }
+  );
+
+  const permissionsData = await permissionsReponse.json();
+  const permitted = permissionsData.permitted;
+  console.log("USER IS PERMITTED TO DO THIS!!!!")
+  // If the user is not permitted to delete the portfolio, we'll throw an error
+  if (!permitted) {
+    throw new Error("User is not permitted to update this portfolio");
+  }
   // We convert the the bigint to a string since big ints are not serialisable and we don't want to loose precision
 
   // We will create a js object with the starting values
   // We will then update the values that are not null
 
-  const body: bodyType = {
-    userId: userId.toString(),
-  };
+  const body: bodyType = {}
 
   if (name) {
     body.name = name;