watson/umami
1
0
Fork 0
mirror of https://github.com/umami-software/umami.git synced 2026-02-06 21:57:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Add admin check. (#1716)

Browse source 
* Add admin check.

* Fix teamId check.
This commit is contained in:
Brian Cao 2022-12-27 15:18:58 -08:00 committed by GitHub
parent c90bd941b5
commit 561cde6e7e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 133 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

9
pages/api/teams/[id]/index.ts
View file

@ -20,13 +20,10 @@ export default async (
) => {
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: teamId } = req.query;
if (req.method === 'GET') {
if (!(await canViewTeam(userId, teamId))) {
if (!(await canViewTeam(req.auth, teamId))) {
return unauthorized(res);
}
@ -38,7 +35,7 @@ export default async (
if (req.method === 'POST') {
const { name } = req.body;
if (!(await canUpdateTeam(userId, teamId))) {
if (!(await canUpdateTeam(req.auth, teamId))) {
return unauthorized(res, 'You must be the owner of this team.');
}
@ -48,7 +45,7 @@ export default async (
}
if (req.method === 'DELETE') {
if (!(await canDeleteTeam(userId, teamId))) {
if (!(await canDeleteTeam(req.auth, teamId))) {
return unauthorized(res, 'You must be the owner of this team.');
}

9
pages/api/teams/[id]/users.ts
View file

@ -21,13 +21,10 @@ export default async (
) => {
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: teamId } = req.query;
if (req.method === 'GET') {
if (!(await canViewTeam(userId, teamId))) {
if (!(await canViewTeam(req.auth, teamId))) {
return unauthorized(res);
}
@ -37,7 +34,7 @@ export default async (
}
if (req.method === 'POST') {
if (!(await canUpdateTeam(userId, teamId))) {
if (!(await canUpdateTeam(req.auth, teamId))) {
return unauthorized(res, 'You must be the owner of this team.');
}
@ -56,7 +53,7 @@ export default async (
}
if (req.method === 'DELETE') {
if (await canUpdateTeam(userId, teamId)) {
if (await canUpdateTeam(req.auth, teamId)) {
return unauthorized(res, 'You must be the owner of this team.');
}
const { teamUserId } = req.body;

5
pages/api/teams/[id]/websites.ts
View file

@ -20,13 +20,10 @@ export default async (
) => {
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: teamId } = req.query;
if (req.method === 'GET') {
if (await canViewTeam(userId, teamId)) {
if (await canViewTeam(req.auth, teamId)) {
return unauthorized(res);
}

2
pages/api/teams/index.ts
View file

@ -28,7 +28,7 @@ export default async (
}
if (req.method === 'POST') {
if (!(await canCreateTeam(userId))) {
if (!(await canCreateTeam(req.auth))) {
return unauthorized(res);
}

8
pages/api/users/[id]/index.ts
View file

@ -1,5 +1,5 @@
import { NextApiRequestQueryBody } from 'lib/types';
import { canUpdateUser, canViewUser } from 'lib/auth';
import { canDeleteUser, canUpdateUser, canViewUser } from 'lib/auth';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';
import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
@ -26,7 +26,7 @@ export default async (
const { id } = req.query;
if (req.method === 'GET') {
if (!isAdmin && !(await canViewUser(userId, id))) {
if (!(await canViewUser(req.auth, id))) {
return unauthorized(res);
}
@ -36,7 +36,7 @@ export default async (
}
if (req.method === 'POST') {
if (!isAdmin && !(await canUpdateUser(userId, id))) {
if (!(await canUpdateUser(req.auth, id))) {
return unauthorized(res);
}
@ -71,7 +71,7 @@ export default async (
}
if (req.method === 'DELETE') {
if (!isAdmin) {
if (!(await canDeleteUser(req.auth))) {
return unauthorized(res);
}

5
pages/api/users/[id]/password.ts
View file

@ -29,12 +29,9 @@ export default async (
const { currentPassword, newPassword } = req.body;
const { id } = req.query;
const {
user: { id: userId, isAdmin },
} = req.auth;
if (req.method === 'POST') {
if (!isAdmin && !(await canUpdateUser(userId, id))) {
if (!(await canUpdateUser(req.auth, id))) {
return unauthorized(res);
}

9
pages/api/users/[id]/websites.ts
View file

@ -1,9 +1,10 @@
import { Prisma } from '@prisma/client';
import { NextApiRequestQueryBody } from 'lib/types';
import { canCreateWebsite } from 'lib/auth';
import { uuid } from 'lib/crypto';
import { useAuth, useCors } from 'lib/middleware';
import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next';
import { methodNotAllowed, ok } from 'next-basics';
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createWebsite, getUserWebsites } from 'queries';
export interface WebsitesRequestQuery {}
@ -35,6 +36,10 @@ export default async (
if (req.method === 'POST') {
const { name, domain, shareId, teamId } = req.body;
if (!(await canCreateWebsite(req.auth, teamId))) {
return unauthorized(res);
}
const data: Prisma.WebsiteUncheckedCreateInput = {
id: uuid(),
name,

13
pages/api/users/index.ts
View file

@ -1,7 +1,8 @@
import { NextApiRequestQueryBody } from 'lib/types';
import { canCreateUser, canViewUsers } from 'lib/auth';
import { ROLES } from 'lib/constants';
import { uuid } from 'lib/crypto';
import { useAuth } from 'lib/middleware';
import { ROLES } from 'lib/constants';
import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next';
import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createUser, getUser, getUsers, User } from 'queries';
@ -18,12 +19,8 @@ export default async (
) => {
await useAuth(req, res);
const {
user: { isAdmin },
} = req.auth;
if (req.method === 'GET') {
if (!isAdmin) {
if (!(await canViewUsers(req.auth))) {
return unauthorized(res);
}
@ -33,7 +30,7 @@ export default async (
}
if (req.method === 'POST') {
if (!isAdmin) {
if (!(await canCreateUser(req.auth))) {
return unauthorized(res);
}

5
pages/api/websites/[id]/active.ts
View file

@ -17,13 +17,10 @@ export default async (
await useCors(req, res);
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId } = req.query;
if (req.method === 'GET') {
if (await canViewWebsite(userId, websiteId)) {
if (await canViewWebsite(req.auth, websiteId)) {
return unauthorized(res);
}

5
pages/api/websites/[id]/eventdata.ts
View file

@ -24,13 +24,10 @@ export default async (
await useCors(req, res);
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId } = req.query;
if (req.method === 'POST') {
if (canViewWebsite(userId, websiteId)) {
if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res);
}

5
pages/api/websites/[id]/events.ts
View file

@ -25,13 +25,10 @@ export default async (
await useCors(req, res);
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId, startAt, endAt, unit, tz, url, eventName } = req.query;
if (req.method === 'GET') {
if (canViewWebsite(userId, websiteId)) {
if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res);
}

9
pages/api/websites/[id]/index.ts
View file

@ -22,13 +22,10 @@ export default async (
await useCors(req, res);
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId } = req.query;
if (req.method === 'GET') {
if (!(await canViewWebsite(userId, websiteId))) {
if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res);
}
@ -38,7 +35,7 @@ export default async (
}
if (req.method === 'POST') {
if (!(await canUpdateWebsite(userId, websiteId))) {
if (!(await canUpdateWebsite(req.auth, websiteId))) {
return unauthorized(res);
}
@ -56,7 +53,7 @@ export default async (
}
if (req.method === 'DELETE') {
if (!(await canDeleteWebsite(userId, websiteId))) {
if (!(await canDeleteWebsite(req.auth, websiteId))) {
return unauthorized(res);
}

5
pages/api/websites/[id]/metrics.ts
View file

@ -55,9 +55,6 @@ export default async (
await useCors(req, res);
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const {
id: websiteId,
type,
@ -72,7 +69,7 @@ export default async (
} = req.query;
if (req.method === 'GET') {
if (!(await canViewWebsite(userId, websiteId))) {
if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res);
}

5
pages/api/websites/[id]/pageviews.ts
View file

@ -30,9 +30,6 @@ export default async (
await useCors(req, res);
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const {
id: websiteId,
startAt,
@ -48,7 +45,7 @@ export default async (
} = req.query;
if (req.method === 'GET') {
if (!(await canViewWebsite(userId, websiteId))) {
if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res);
}

5
pages/api/websites/[id]/reset.ts
View file

@ -16,13 +16,10 @@ export default async (
await useCors(req, res);
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId } = req.query;
if (req.method === 'POST') {
if (!(await canViewWebsite(userId, websiteId))) {
if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res);
}

5
pages/api/websites/[id]/stats.ts
View file

@ -26,13 +26,10 @@ export default async (
await useCors(req, res);
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId, startAt, endAt, url, referrer, os, browser, device, country } = req.query;
if (req.method === 'GET') {
if (!(await canViewWebsite(userId, websiteId))) {
if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res);
}

9
pages/api/websites/index.ts
View file

@ -1,9 +1,10 @@
import { Prisma } from '@prisma/client';
import { NextApiRequestQueryBody } from 'lib/types';
import { canCreateWebsite } from 'lib/auth';
import { uuid } from 'lib/crypto';
import { useAuth, useCors } from 'lib/middleware';
import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next';
import { methodNotAllowed, ok } from 'next-basics';
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createWebsite, getUserWebsites } from 'queries';
export interface WebsitesRequestQuery {}
@ -35,6 +36,10 @@ export default async (
if (req.method === 'POST') {
const { name, domain, shareId, teamId } = req.body;
if (!(await canCreateWebsite(req.auth, teamId))) {
return unauthorized(res);
}
const data: Prisma.WebsiteUncheckedCreateInput = {
id: uuid(),
name,