watson/umami
1
0
Fork 0
mirror of https://github.com/umami-software/umami.git synced 2026-02-04 04:37:11 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Feat/um 114 roles and permissions (#1683)

Browse source 
* Auth checkpoint.

* Merge branch 'dev' into feat/um-114-roles-and-permissions
This commit is contained in:
Brian Cao 2022-12-01 20:53:37 -08:00 committed by GitHub
parent a4e80ca3e5
commit 06bebadbb9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
27 changed files with 331 additions and 482 deletions
Download patch file Download diff file Expand all files Collapse all files

181
lib/auth.ts
View file

@ -1,10 +1,10 @@
import { UserRole } from '@prisma/client';
import debug from 'debug';
import { NextApiRequestAuth } from 'interface/api/nextApi';
import cache from 'lib/cache';
import { SHARE_TOKEN_HEADER, UmamiApi } from 'lib/constants';
import { secret } from 'lib/crypto';
import { parseSecureToken, parseToken } from 'next-basics';
import { getPermissionsByUserId, getTeamUser, getUser } from 'queries';
import { getTeamUser, getUserRoles } from 'queries';
const log = debug('umami:auth');
@ -34,13 +34,6 @@ export function parseShareToken(req) {
}
}
export function hasPermission(
value: UmamiApi.Role | UmamiApi.Permission,
permissions: UmamiApi.Role[] | UmamiApi.Permission[],
) {
return permissions.some(a => a === value);
}
export function isValidToken(token, validation) {
try {
if (typeof validation === 'object') {
@ -56,71 +49,6 @@ export function isValidToken(token, validation) {
return false;
}
export async function allowQuery(
req: NextApiRequestAuth,
type: UmamiApi.AuthType,
typeId?: string,
) {
const { id } = req.query as { id: string };
const { user, shareToken } = req.auth;
if (shareToken) {
return isValidToken(shareToken, { id });
}
if (user?.id) {
if (type === UmamiApi.AuthType.Website) {
const website = await cache.fetchWebsite(typeId ?? id);
if (website && website.userId === user.id) {
return true;
}
if (website.teamId) {
const teamUser = getTeamUser({ userId: user.id, teamId: website.teamId, isDeleted: false });
return teamUser;
}
return false;
} else if (type === UmamiApi.AuthType.User) {
const user = await getUser({ id });
return user && user.id === id;
} else if (type === UmamiApi.AuthType.Team) {
const teamUser = await getTeamUser({
userId: user.id,
teamId: typeId ?? id,
});
return teamUser;
} else if (type === UmamiApi.AuthType.TeamOwner) {
const teamUser = await getTeamUser({
userId: user.id,
teamId: typeId ?? id,
});
return (
teamUser &&
(teamUser.roleId === UmamiApi.Role.TeamOwner || teamUser.roleId === UmamiApi.Role.Admin)
);
}
}
return false;
}
export async function checkPermission(req: NextApiRequestAuth, type: UmamiApi.Permission) {
const {
user: { id: userId },
} = req.auth;
const userRole = await getPermissionsByUserId(userId, type);
return userRole.length > 0;
}
export async function canViewWebsite(userId: string, websiteId: string) {
const website = await cache.fetchWebsite(websiteId);
@ -128,7 +56,13 @@ export async function canViewWebsite(userId: string, websiteId: string) {
return userId === website.userId;
}
return false;
if (website.teamId) {
const teamUser = await getTeamUser({ userId, teamId: website.teamId });
checkPermission(UmamiApi.Permission.websiteUpdate, teamUser.role as keyof UmamiApi.Roles);
}
return checkAdmin(userId);
}
export async function canUpdateWebsite(userId: string, websiteId: string) {
@ -138,5 +72,100 @@ export async function canUpdateWebsite(userId: string, websiteId: string) {
return userId === website.userId;
}
return false;
if (website.teamId) {
const teamUser = await getTeamUser({ userId, teamId: website.teamId });
checkPermission(UmamiApi.Permission.websiteUpdate, teamUser.role as keyof UmamiApi.Roles);
}
return checkAdmin(userId);
}
export async function canDeleteWebsite(userId: string, websiteId: string) {
const website = await cache.fetchWebsite(websiteId);
if (website.userId) {
return userId === website.userId;
}
if (website.teamId) {
const teamUser = await getTeamUser({ userId, teamId: website.teamId });
if (checkPermission(UmamiApi.Permission.websiteDelete, teamUser.role as keyof UmamiApi.Roles)) {
return true;
}
}
return checkAdmin(userId);
}
// To-do: Implement when payments are setup.
export async function canCreateTeam(userId: string) {
return !!userId;
}
// To-do: Implement when payments are setup.
export async function canViewTeam(userId: string, teamId) {
const teamUser = await getTeamUser({ userId, teamId });
return !!teamUser;
}
export async function canUpdateTeam(userId: string, teamId: string) {
const teamUser = await getTeamUser({ userId, teamId });
if (checkPermission(UmamiApi.Permission.teamUpdate, teamUser.role as keyof UmamiApi.Roles)) {
return true;
}
}
export async function canDeleteTeam(userId: string, teamId: string) {
const teamUser = await getTeamUser({ userId, teamId });
if (checkPermission(UmamiApi.Permission.teamDelete, teamUser.role as keyof UmamiApi.Roles)) {
return true;
}
}
export async function canCreateUser(userId: string) {
return checkAdmin(userId);
}
export async function canViewUser(userId: string, viewedUserId: string) {
if (userId === viewedUserId) {
return true;
}
return checkAdmin(userId);
}
export async function canViewUsers(userId: string) {
return checkAdmin(userId);
}
export async function canUpdateUser(userId: string, viewedUserId: string) {
if (userId === viewedUserId) {
return true;
}
return checkAdmin(userId);
}
export async function canUpdateUserRole(userId: string) {
return checkAdmin(userId);
}
export async function canDeleteUser(userId: string) {
return checkAdmin(userId);
}
export async function checkPermission(permission: UmamiApi.Permission, role: keyof UmamiApi.Roles) {
return UmamiApi.Roles[role].permissions.some(a => a === permission);
}
export async function checkAdmin(userId: string, userRoles?: UserRole[]) {
if (!userRoles) {
userRoles = await getUserRoles({ userId });
}
return userRoles.some(a => a.role === UmamiApi.Role.Admin);
}

80
lib/constants.ts
View file

@ -9,52 +9,56 @@ export namespace UmamiApi {
Website,
User,
Team,
TeamOwner,
}
export enum Permission {
Admin = 'Admin',
WebsiteCreate = 'website:create',
WebsiteRead = 'website:read',
WebsiteUpdate = 'website:update',
WebsiteReset = 'website:reset',
WebsiteDelete = 'website:delete',
TeamCreate = 'team:create',
TeamUpdate = 'team:update',
TeamDelete = 'team:delete',
TeamAddUser = 'team:add-user',
TeamRemoveUser = 'team:remove-user',
all = 'all',
websiteCreate = 'website:create',
websiteUpdate = 'website:update',
websiteDelete = 'website:delete',
teamCreate = 'team:create',
teamUpdate = 'team:update',
teamDelete = 'team:delete',
}
export enum Role {
Admin = 'Admin',
Member = 'Member',
TeamOwner = 'Team Owner',
TeamMember = 'Team Member',
TeamGuest = 'Team Guest,',
Admin = 'admin',
User = 'user',
TeamOwner = 'team-owner',
TeamMember = 'team-member',
TeamGuest = 'team-guest',
}
export const Roles = {
admin: { name: Role.Admin, permissions: [Permission.all] },
member: {
name: Role.User,
permissions: [
Permission.websiteCreate,
Permission.websiteUpdate,
Permission.websiteDelete,
Permission.teamCreate,
],
},
teamOwner: {
name: Role.TeamOwner,
permissions: [
Permission.teamUpdate,
Permission.teamDelete,
Permission.websiteCreate,
Permission.websiteUpdate,
Permission.websiteDelete,
],
},
teamMember: {
name: Role.TeamMember,
permissions: [Permission.websiteCreate, Permission.websiteUpdate, Permission.websiteDelete],
},
teamGuest: { name: Role.TeamGuest, permissions: [] },
};
export type Roles = typeof Roles;
}
export const PERMISSIONS = {
all: 'all',
websiteCreate: 'website:create',
websiteUpdate: 'website:update',
websiteDelete: 'website:delete',
teamCreate: 'team:create',
teamUpdate: 'team:update',
teamDelete: 'team:delete',
};
export const ROLES = {
admin: { name: 'admin', permissions: [PERMISSIONS.all] },
teamOwner: { name: 'team-owner', permissions: [PERMISSIONS.teamUpdate, PERMISSIONS.teamDelete] },
teamMember: {
name: 'team-member',
permissions: [PERMISSIONS.websiteCreate, PERMISSIONS.websiteUpdate, PERMISSIONS.websiteDelete],
},
teamGuest: { name: 'team-guest' },
};
export const CURRENT_VERSION = process.env.currentVersion;
export const AUTH_TOKEN = 'umami.auth';
export const LOCALE_CONFIG = 'umami.locale';