Add permission checks for referral server actions (#3396)

Author: devkiran

apps/web/lib/actions/referrals/mark-referral-closed-lost.ts

@@ -9,6 +9,7 @@ import { prisma } from "@dub/prisma";
 import { ReferralStatus } from "@dub/prisma/client";
 import { waitUntil } from "@vercel/functions";
 import { authActionClient } from "../safe-action";
+import { throwIfNoPermission } from "../throw-if-no-permission";
 
 // Mark a partner referral as closed lost
 export const markReferralClosedLostAction = authActionClient
@@ -17,6 +18,11 @@ export const markReferralClosedLostAction = authActionClient
     const { workspace } = ctx;
     const { referralId, notes } = parsedInput;
 
+    throwIfNoPermission({
+      role: workspace.role,
+      requiredRoles: ["owner", "member"],
+    });
+
     const programId = getDefaultProgramIdOrThrow(workspace);
 
     const partnerReferral = await getReferralOrThrow({

apps/web/lib/actions/referrals/mark-referral-closed-won.ts

@@ -10,6 +10,7 @@ import { prisma } from "@dub/prisma";
 import { ReferralStatus } from "@dub/prisma/client";
 import { waitUntil } from "@vercel/functions";
 import { authActionClient } from "../safe-action";
+import { throwIfNoPermission } from "../throw-if-no-permission";
 
 // Mark a partner referral as closed won
 export const markReferralClosedWonAction = authActionClient
@@ -18,6 +19,11 @@ export const markReferralClosedWonAction = authActionClient
     const { workspace } = ctx;
     const { referralId, saleAmount, stripeCustomerId, notes } = parsedInput;
 
+    throwIfNoPermission({
+      role: workspace.role,
+      requiredRoles: ["owner", "member"],
+    });
+
     const programId = getDefaultProgramIdOrThrow(workspace);
 
     const referral = await getReferralOrThrow({

apps/web/lib/actions/referrals/mark-referral-qualified.ts

@@ -13,6 +13,7 @@ import { ReferralStatus } from "@dub/prisma/client";
 import { pick } from "@dub/utils";
 import { waitUntil } from "@vercel/functions";
 import { authActionClient } from "../safe-action";
+import { throwIfNoPermission } from "../throw-if-no-permission";
 
 // Mark a partner referral as qualified
 export const markReferralQualifiedAction = authActionClient
@@ -21,6 +22,11 @@ export const markReferralQualifiedAction = authActionClient
     const { workspace } = ctx;
     const { referralId, externalId, notes } = parsedInput;
 
+    throwIfNoPermission({
+      role: workspace.role,
+      requiredRoles: ["owner", "member"],
+    });
+
     const programId = getDefaultProgramIdOrThrow(workspace);
 
     const referral = await getReferralOrThrow({

apps/web/lib/actions/referrals/mark-referral-unqualified.ts

@@ -9,6 +9,7 @@ import { prisma } from "@dub/prisma";
 import { ReferralStatus } from "@dub/prisma/client";
 import { waitUntil } from "@vercel/functions";
 import { authActionClient } from "../safe-action";
+import { throwIfNoPermission } from "../throw-if-no-permission";
 
 // Mark a partner referral as unqualified
 export const markReferralUnqualifiedAction = authActionClient
@@ -17,6 +18,11 @@ export const markReferralUnqualifiedAction = authActionClient
     const { workspace } = ctx;
     const { referralId, notes } = parsedInput;
 
+    throwIfNoPermission({
+      role: workspace.role,
+      requiredRoles: ["owner", "member"],
+    });
+
     const programId = getDefaultProgramIdOrThrow(workspace);
 
     const partnerReferral = await getReferralOrThrow({

apps/web/lib/actions/referrals/submit-referral.ts

@@ -3,14 +3,14 @@
 import { createId } from "@/lib/api/create-id";
 import { DubApiError } from "@/lib/api/errors";
 import { getProgramEnrollmentOrThrow } from "@/lib/api/programs/get-program-enrollment-or-throw";
+import { notifyPartnerReferralSubmitted } from "@/lib/api/referrals/notify-partner-referral-submitted";
 import { REFERRAL_FORM_REQUIRED_FIELD_KEYS } from "@/lib/referrals/constants";
 import {
   formFieldSchema,
   referralFormSchema,
   referralRequiredFieldsSchema,
 } from "@/lib/zod/schemas/referral-form";
 import { createPartnerReferralSchema } from "@/lib/zod/schemas/referrals";
-import { notifyPartnerReferralSubmitted } from "@/lib/api/referrals/notify-partner-referral-submitted";
 import { prisma } from "@dub/prisma";
 import { Prisma } from "@dub/prisma/client";
 import { COUNTRIES } from "@dub/utils";