Add permission checks.

lib/auth.ts

@@ -1,9 +1,10 @@
 import debug from 'debug';
 import { NextApiRequestAuth } from 'interface/api/nextApi';
+import cache from 'lib/cache';
 import { SHARE_TOKEN_HEADER, UmamiApi } from 'lib/constants';
 import { secret } from 'lib/crypto';
 import { parseSecureToken, parseToken } from 'next-basics';
-import { getUser, getUserWebsite } from 'queries';
+import { getPermissionsByUserId, getTeamUser, getUser } from 'queries';
 
 const log = debug('umami:auth');
 
@@ -63,23 +64,51 @@ export async function allowQuery(
 
   if (user?.id) {
     if (type === UmamiApi.AuthType.Website) {
-      const userWebsite = await getUserWebsite({
-        userId: user.id,
-        websiteId: typeId ?? id,
-        isDeleted: false,
-      });
+      const website = await cache.fetchWebsite(typeId ?? id);
 
-      return userWebsite;
+      if (website && website.userId === user.id) {
+        return true;
+      }
+
+      if (website.teamId) {
+        const teamUser = getTeamUser({ userId: user.id, teamId: website.teamId, isDeleted: false });
+
+        return teamUser;
+      }
+
+      return false;
     } else if (type === UmamiApi.AuthType.User) {
       const user = await getUser({ id });
 
       return user && user.id === id;
-    }
-  }
+    } else if (type === UmamiApi.AuthType.Team) {
+      const teamUser = await getTeamUser({
+        userId: user.id,
+        teamId: typeId ?? id,
+        isDeleted: false,
+      });
 
-  if (user?.isAdmin) {
-    return true;
+      return teamUser;
+    } else if (type === UmamiApi.AuthType.TeamOwner) {
+      const teamUser = await getTeamUser({
+        userId: user.id,
+        teamId: typeId ?? id,
+        isDeleted: false,
+      });
+
+      return teamUser && teamUser.isOwner;
+    }
   }
 
   return false;
 }
+
+export async function checkPermission(req: NextApiRequestAuth, type: UmamiApi.Permission) {
+  const {
+    user: { id: userId },
+  } = req.auth;
+
+  const userRole = await getPermissionsByUserId(userId, type);
+
+  return userRole.length > 0;
+}

lib/cache.ts

@@ -1,6 +1,6 @@
-import { getWebsite, getUser, getSession } from '../queries';
+import { User, Website } from '@prisma/client';
 import redis, { DELETED } from 'lib/redis';
-import { Role, Team, TeamUser, User, UserRole, UserWebsite, Website } from '@prisma/client';
+import { getSession, getUser, getWebsite } from '../queries';
 
 async function fetchObject(key, query) {
   const obj = await redis.get(key);
@@ -26,7 +26,7 @@ async function deleteObject(key) {
   return redis.set(key, DELETED);
 }
 
-async function fetchWebsite(id) {
+async function fetchWebsite(id): Promise<Website> {
   return fetchObject(`website:${id}`, () => getWebsite({ id }));
 }
 
@@ -41,13 +41,7 @@ async function deleteWebsite(id) {
   return deleteObject(`website:${id}`);
 }
 
-async function fetchUser(id): Promise<
-  User & {
-    userRole?: (UserRole & { role: Role })[];
-    teamUser?: (TeamUser & { team: Team })[];
-    userWebsite?: (UserWebsite & { website: Website })[];
-  }
-> {
+async function fetchUser(id): Promise<User> {
   return fetchObject(`user:${id}`, () => getUser({ id }, true));
 }
 

lib/constants.ts

@@ -8,6 +8,16 @@ export namespace UmamiApi {
   export enum AuthType {
     Website,
     User,
+    Team,
+    TeamOwner,
+  }
+
+  export enum Permission {
+    Admin = 'Admin',
+  }
+
+  export enum Role {
+    Admin = 'Admin',
   }
 }
 export const CURRENT_VERSION = process.env.currentVersion;