mirror of
https://github.com/umami-software/umami.git
synced 2026-02-09 23:27:12 +01:00
Feat/um 114 roles and permissions (#1683)
* Auth checkpoint. * Merge branch 'dev' into feat/um-114-roles-and-permissions
This commit is contained in:
Brian Cao
GitHub
parent
a4e80ca3e5
commit
06bebadbb9
27 changed files with 331 additions and 482 deletions
|
|
@ -1,7 +1,6 @@
|
|||
import { Team } from '@prisma/client';
|
||||
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
|
||||
import { allowQuery } from 'lib/auth';
|
||||
import { UmamiApi } from 'lib/constants';
|
||||
import { canDeleteTeam, canUpdateTeam, canViewTeam } from 'lib/auth';
|
||||
import { useAuth } from 'lib/middleware';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
|
|
@ -21,12 +20,16 @@ export default async (
|
|||
) => {
|
||||
await useAuth(req, res);
|
||||
|
||||
const {
|
||||
user: { id: userId },
|
||||
} = req.auth;
|
||||
const { id: teamId } = req.query;
|
||||
|
||||
if (req.method === 'GET') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.Team))) {
|
||||
if (await canViewTeam(userId, teamId)) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
const user = await getTeam({ id: teamId });
|
||||
|
||||
return ok(res, user);
|
||||
|
|
@ -35,7 +38,7 @@ export default async (
|
|||
if (req.method === 'POST') {
|
||||
const { name } = req.body;
|
||||
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
|
||||
if (await canUpdateTeam(userId, teamId)) {
|
||||
return unauthorized(res, 'You must be the owner of this team.');
|
||||
}
|
||||
|
||||
|
|
@ -45,7 +48,7 @@ export default async (
|
|||
}
|
||||
|
||||
if (req.method === 'DELETE') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
|
||||
if (await canDeleteTeam(userId, teamId)) {
|
||||
return unauthorized(res, 'You must be the owner of this team.');
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
|
||||
import { allowQuery } from 'lib/auth';
|
||||
import { UmamiApi } from 'lib/constants';
|
||||
import { canUpdateTeam, canViewTeam } from 'lib/auth';
|
||||
import { useAuth } from 'lib/middleware';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
|
|
@ -22,10 +21,13 @@ export default async (
|
|||
) => {
|
||||
await useAuth(req, res);
|
||||
|
||||
const {
|
||||
user: { id: userId },
|
||||
} = req.auth;
|
||||
const { id: teamId } = req.query;
|
||||
|
||||
if (req.method === 'GET') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.Team))) {
|
||||
if (await canViewTeam(userId, teamId)) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
|
|
@ -35,7 +37,7 @@ export default async (
|
|||
}
|
||||
|
||||
if (req.method === 'POST') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
|
||||
if (await canUpdateTeam(userId, teamId)) {
|
||||
return unauthorized(res, 'You must be the owner of this team.');
|
||||
}
|
||||
|
||||
|
|
@ -54,7 +56,7 @@ export default async (
|
|||
}
|
||||
|
||||
if (req.method === 'DELETE') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
|
||||
if (await canUpdateTeam(userId, teamId)) {
|
||||
return unauthorized(res, 'You must be the owner of this team.');
|
||||
}
|
||||
const { team_user_id } = req.body;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
|
||||
import { allowQuery } from 'lib/auth';
|
||||
import { UmamiApi } from 'lib/constants';
|
||||
import { canViewTeam } from 'lib/auth';
|
||||
import { useAuth } from 'lib/middleware';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
|
|
@ -21,10 +20,13 @@ export default async (
|
|||
) => {
|
||||
await useAuth(req, res);
|
||||
|
||||
const {
|
||||
user: { id: userId },
|
||||
} = req.auth;
|
||||
const { id: teamId } = req.query;
|
||||
|
||||
if (req.method === 'GET') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.Team))) {
|
||||
if (await canViewTeam(userId, teamId)) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,9 +1,10 @@
|
|||
import { Team } from '@prisma/client';
|
||||
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
|
||||
import { canCreateTeam } from 'lib/auth';
|
||||
import { uuid } from 'lib/crypto';
|
||||
import { useAuth } from 'lib/middleware';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { badRequest, methodNotAllowed, ok } from 'next-basics';
|
||||
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
import { createTeam, getTeam, getTeamsByUserId } from 'queries';
|
||||
export interface TeamsRequestBody {
|
||||
name: string;
|
||||
|
|
@ -17,16 +18,20 @@ export default async (
|
|||
await useAuth(req, res);
|
||||
|
||||
const {
|
||||
user: { id },
|
||||
user: { id: userId },
|
||||
} = req.auth;
|
||||
|
||||
if (req.method === 'GET') {
|
||||
const teams = await getTeamsByUserId(id);
|
||||
const teams = await getTeamsByUserId(userId);
|
||||
|
||||
return ok(res, teams);
|
||||
}
|
||||
|
||||
if (req.method === 'POST') {
|
||||
if (await canCreateTeam(userId)) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
const { name } = req.body;
|
||||
|
||||
const team = await getTeam({ name });
|
||||
|
|
@ -36,7 +41,7 @@ export default async (
|
|||
}
|
||||
|
||||
const created = await createTeam({
|
||||
id: id || uuid(),
|
||||
id: uuid(),
|
||||
name,
|
||||
});
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue