Add admin check. (#1716)

* Add admin check. * Fix teamId check.
2026-02-04 12:47:13 +01:00 · 2022-12-27 15:18:58 -08:00 · 2022-12-27 15:18:58 -08:00 · 561cde6e7e
commit 561cde6e7e
parent c90bd941b5
20 changed files with 133 additions and 98 deletions
--- a/pages/api/users/[id]/index.ts
+++ b/pages/api/users/[id]/index.ts
@ -1,5 +1,5 @@
 import { NextApiRequestQueryBody } from 'lib/types';
-import { canUpdateUser, canViewUser } from 'lib/auth';
+import { canDeleteUser, canUpdateUser, canViewUser } from 'lib/auth';
 import { useAuth } from 'lib/middleware';
 import { NextApiResponse } from 'next';
 import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
@ -26,7 +26,7 @@ export default async (
  const { id } = req.query;

  if (req.method === 'GET') {
-    if (!isAdmin && !(await canViewUser(userId, id))) {
+    if (!(await canViewUser(req.auth, id))) {
      return unauthorized(res);
    }

@ -36,7 +36,7 @@ export default async (
  }

  if (req.method === 'POST') {
-    if (!isAdmin && !(await canUpdateUser(userId, id))) {
+    if (!(await canUpdateUser(req.auth, id))) {
      return unauthorized(res);
    }

@ -71,7 +71,7 @@ export default async (
  }

  if (req.method === 'DELETE') {
-    if (!isAdmin) {
+    if (!(await canDeleteUser(req.auth))) {
      return unauthorized(res);
    }

--- a/pages/api/users/[id]/password.ts
+++ b/pages/api/users/[id]/password.ts
@ -29,12 +29,9 @@ export default async (

  const { currentPassword, newPassword } = req.body;
  const { id } = req.query;
-  const {
-    user: { id: userId, isAdmin },
-  } = req.auth;

  if (req.method === 'POST') {
-    if (!isAdmin && !(await canUpdateUser(userId, id))) {
+    if (!(await canUpdateUser(req.auth, id))) {
      return unauthorized(res);
    }

--- a/pages/api/users/[id]/websites.ts
+++ b/pages/api/users/[id]/websites.ts
@ -1,9 +1,10 @@
 import { Prisma } from '@prisma/client';
-import { NextApiRequestQueryBody } from 'lib/types';
+import { canCreateWebsite } from 'lib/auth';
 import { uuid } from 'lib/crypto';
 import { useAuth, useCors } from 'lib/middleware';
+import { NextApiRequestQueryBody } from 'lib/types';
 import { NextApiResponse } from 'next';
-import { methodNotAllowed, ok } from 'next-basics';
+import { methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { createWebsite, getUserWebsites } from 'queries';

 export interface WebsitesRequestQuery {}
@ -35,6 +36,10 @@ export default async (
  if (req.method === 'POST') {
    const { name, domain, shareId, teamId } = req.body;

+    if (!(await canCreateWebsite(req.auth, teamId))) {
+      return unauthorized(res);
+    }
+
    const data: Prisma.WebsiteUncheckedCreateInput = {
      id: uuid(),
      name,
--- a/pages/api/users/index.ts
+++ b/pages/api/users/index.ts
@ -1,7 +1,8 @@
-import { NextApiRequestQueryBody } from 'lib/types';
+import { canCreateUser, canViewUsers } from 'lib/auth';
+import { ROLES } from 'lib/constants';
 import { uuid } from 'lib/crypto';
 import { useAuth } from 'lib/middleware';
-import { ROLES } from 'lib/constants';
+import { NextApiRequestQueryBody } from 'lib/types';
 import { NextApiResponse } from 'next';
 import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { createUser, getUser, getUsers, User } from 'queries';
@ -18,12 +19,8 @@ export default async (
 ) => {
  await useAuth(req, res);

-  const {
-    user: { isAdmin },
-  } = req.auth;
-
  if (req.method === 'GET') {
-    if (!isAdmin) {
+    if (!(await canViewUsers(req.auth))) {
      return unauthorized(res);
    }

@ -33,7 +30,7 @@ export default async (
  }

  if (req.method === 'POST') {
-    if (!isAdmin) {
+    if (!(await canCreateUser(req.auth))) {
      return unauthorized(res);
    }