Add permission checks.

pages/api/teams/[id]/index.ts

@@ -1,8 +1,10 @@
 import { Team } from '@prisma/client';
 import { NextApiRequestQueryBody } from 'interface/api/nextApi';
+import { allowQuery } from 'lib/auth';
+import { UmamiApi } from 'lib/constants';
 import { useAuth } from 'lib/middleware';
 import { NextApiResponse } from 'next';
-import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
+import { methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { deleteTeam, getTeam, updateTeam } from 'queries';
 
 export interface TeamRequestQuery {
@@ -10,8 +12,7 @@ export interface TeamRequestQuery {
 }
 
 export interface TeamRequestBody {
-  name?: string;
-  is_deleted?: boolean;
+  name: string;
 }
 
 export default async (
@@ -20,43 +21,35 @@ export default async (
 ) => {
   await useAuth(req, res);
 
-  const {
-    user: { id: userId, isAdmin },
-  } = req.auth;
-  const { id } = req.query;
+  const { id: teamId } = req.query;
 
   if (req.method === 'GET') {
-    if (id !== userId && !isAdmin) {
+    if (!(await allowQuery(req, UmamiApi.AuthType.Team))) {
       return unauthorized(res);
     }
-
-    const user = await getTeam({ id });
+    const user = await getTeam({ id: teamId });
 
     return ok(res, user);
   }
 
   if (req.method === 'POST') {
-    const { name, is_deleted: isDeleted } = req.body;
+    const { name } = req.body;
 
-    if (id !== userId && !isAdmin) {
-      return unauthorized(res);
+    if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
+      return unauthorized(res, 'You must be the owner of this team.');
     }
 
-    const updated = await updateTeam({ name, isDeleted }, { id });
+    const updated = await updateTeam({ name }, { id: teamId });
 
     return ok(res, updated);
   }
 
   if (req.method === 'DELETE') {
-    if (id === userId) {
-      return badRequest(res, 'You cannot delete your own user.');
+    if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
+      return unauthorized(res, 'You must be the owner of this team.');
     }
 
-    if (!isAdmin) {
-      return unauthorized(res);
-    }
-
-    await deleteTeam(id);
+    await deleteTeam(teamId);
 
     return ok(res);
   }

pages/api/teams/[id]/user.ts

@@ -1,8 +1,10 @@
 import { NextApiRequestQueryBody } from 'interface/api/nextApi';
+import { allowQuery } from 'lib/auth';
+import { UmamiApi } from 'lib/constants';
 import { uuid } from 'lib/crypto';
 import { useAuth } from 'lib/middleware';
 import { NextApiResponse } from 'next';
-import { methodNotAllowed, ok } from 'next-basics';
+import { methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { createTeamUser, deleteTeamUser, getUsersByTeamId } from 'queries';
 
 export interface TeamUserRequestQuery {
@@ -23,12 +25,20 @@ export default async (
   const { id: teamId } = req.query;
 
   if (req.method === 'GET') {
+    if (!(await allowQuery(req, UmamiApi.AuthType.Team))) {
+      return unauthorized(res);
+    }
+
     const user = await getUsersByTeamId({ teamId });
 
     return ok(res, user);
   }
 
   if (req.method === 'POST') {
+    if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
+      return unauthorized(res, 'You must be the owner of this team.');
+    }
+
     const { user_id: userId } = req.body;
 
     const updated = await createTeamUser({ id: uuid(), userId, teamId });
@@ -37,6 +47,10 @@ export default async (
   }
 
   if (req.method === 'DELETE') {
+    if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
+      return unauthorized(res, 'You must be the owner of this team.');
+    }
+
     const { team_user_id } = req.body;
 
     await deleteTeamUser(team_user_id);

pages/api/teams/[id]/website.ts

@@ -1,9 +1,10 @@
 import { NextApiRequestQueryBody } from 'interface/api/nextApi';
-import { uuid } from 'lib/crypto';
+import { allowQuery } from 'lib/auth';
+import { UmamiApi } from 'lib/constants';
 import { useAuth } from 'lib/middleware';
 import { NextApiResponse } from 'next';
-import { methodNotAllowed, ok } from 'next-basics';
-import { createTeamWebsite, deleteTeamWebsite, getWebsitesByTeamId } from 'queries';
+import { methodNotAllowed, ok, unauthorized } from 'next-basics';
+import { getWebsitesByTeamId } from 'queries';
 
 export interface TeamWebsiteRequestQuery {
   id: string;
@@ -23,26 +24,14 @@ export default async (
   const { id: teamId } = req.query;
 
   if (req.method === 'GET') {
+    if (!(await allowQuery(req, UmamiApi.AuthType.Team))) {
+      return unauthorized(res);
+    }
+
     const website = await getWebsitesByTeamId({ teamId });
 
     return ok(res, website);
   }
 
-  if (req.method === 'POST') {
-    const { website_id: websiteId } = req.body;
-
-    const updated = await createTeamWebsite({ id: uuid(), websiteId, teamId });
-
-    return ok(res, updated);
-  }
-
-  if (req.method === 'DELETE') {
-    const { team_website_id } = req.body;
-
-    await deleteTeamWebsite(team_website_id);
-
-    return ok(res);
-  }
-
   return methodNotAllowed(res);
 };

pages/api/teams/index.ts

@@ -21,17 +21,17 @@ export default async (
   } = req.auth;
 
   if (req.method === 'GET') {
-    const users = await getTeamsByUserId(id);
+    const teams = await getTeamsByUserId(id);
 
-    return ok(res, users);
+    return ok(res, teams);
   }
 
   if (req.method === 'POST') {
     const { name } = req.body;
 
-    const user = await getTeam({ name });
+    const team = await getTeam({ name });
 
-    if (user) {
+    if (team) {
       return badRequest(res, 'Team already exists');
     }
 

pages/api/users/[id]/index.ts

@@ -1,9 +1,10 @@
-import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
-import { getUser, deleteUser, updateUser } from 'queries';
+import { NextApiRequestQueryBody } from 'interface/api/nextApi';
+import { checkPermission } from 'lib/auth';
+import { UmamiApi } from 'lib/constants';
 import { useAuth } from 'lib/middleware';
 import { NextApiResponse } from 'next';
-import { NextApiRequestQueryBody } from 'interface/api/nextApi';
-import { User } from 'interface/api/models';
+import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
+import { deleteUser, getUser, updateUser, User } from 'queries';
 
 export interface UserRequestQuery {
   id: string;
@@ -21,12 +22,12 @@ export default async (
   await useAuth(req, res);
 
   const {
-    user: { id: userId, isAdmin },
+    user: { id: userId },
   } = req.auth;
   const { id } = req.query;
 
   if (req.method === 'GET') {
-    if (id !== userId && !isAdmin) {
+    if (id !== userId) {
       return unauthorized(res);
     }
 
@@ -38,7 +39,7 @@ export default async (
   if (req.method === 'POST') {
     const { username, password } = req.body;
 
-    if (id !== userId && !isAdmin) {
+    if (id !== userId) {
       return unauthorized(res);
     }
 
@@ -51,7 +52,7 @@ export default async (
     }
 
     // Only admin can change these fields
-    if (isAdmin) {
+    if (!(await checkPermission(req, UmamiApi.Permission.Admin))) {
       data.username = username;
     }
 
@@ -74,7 +75,7 @@ export default async (
       return badRequest(res, 'You cannot delete your own user.');
     }
 
-    if (!isAdmin) {
+    if (!(await checkPermission(req, UmamiApi.Permission.Admin))) {
       return unauthorized(res);
     }
 

pages/api/users/index.ts

@@ -1,10 +1,11 @@
-import { ok, unauthorized, methodNotAllowed, badRequest, hashPassword } from 'next-basics';
-import { useAuth } from 'lib/middleware';
-import { uuid } from 'lib/crypto';
-import { createUser, getUser, getUsers } from 'queries';
 import { NextApiRequestQueryBody } from 'interface/api/nextApi';
+import { checkPermission } from 'lib/auth';
+import { UmamiApi } from 'lib/constants';
+import { uuid } from 'lib/crypto';
+import { useAuth } from 'lib/middleware';
 import { NextApiResponse } from 'next';
-import { User } from 'interface/api/models';
+import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
+import { createUser, getUser, getUsers, User } from 'queries';
 
 export interface UsersRequestBody {
   username: string;
@@ -18,11 +19,7 @@ export default async (
 ) => {
   await useAuth(req, res);
 
-  const {
-    user: { isAdmin },
-  } = req.auth;
-
-  if (!isAdmin) {
+  if (!(await checkPermission(req, UmamiApi.Permission.Admin))) {
     return unauthorized(res);
   }
 

pages/api/websites/[id]/index.ts

@@ -4,7 +4,7 @@ import { allowQuery } from 'lib/auth';
 import { UmamiApi } from 'lib/constants';
 import { useAuth, useCors } from 'lib/middleware';
 import { NextApiResponse } from 'next';
-import { methodNotAllowed, ok, serverError, unauthorized } from 'next-basics';
+import { methodNotAllowed, ok, serverError, unauthorized, badRequest } from 'next-basics';
 import { deleteWebsite, getWebsite, updateWebsite } from 'queries';
 
 export interface WebsiteRequestQuery {
@@ -15,6 +15,8 @@ export interface WebsiteRequestBody {
   name: string;
   domain: string;
   shareId: string;
+  userId?: string;
+  teamId?: string;
 }
 
 export default async (
@@ -37,14 +39,14 @@ export default async (
   }
 
   if (req.method === 'POST') {
-    const { name, domain, shareId } = req.body;
+    const { ...data } = req.body;
+
+    if (!data.userId && !data.teamId) {
+      badRequest(res, 'A website must be assigned to a User or Team.');
+    }
 
     try {
-      await updateWebsite(websiteId, {
-        name,
-        domain,
-        shareId,
-      });
+      await updateWebsite(websiteId, data);
     } catch (e: any) {
       if (e.message.includes('Unique constraint') && e.message.includes('share_id')) {
         return serverError(res, 'That share ID is already taken.');
@@ -55,10 +57,6 @@ export default async (
   }
 
   if (req.method === 'DELETE') {
-    if (!(await allowQuery(req, UmamiApi.AuthType.Website))) {
-      return unauthorized(res);
-    }
-
     await deleteWebsite(websiteId);
 
     return ok(res);

pages/api/websites/index.ts

@@ -1,9 +1,10 @@
+import { Prisma } from '@prisma/client';
 import { NextApiRequestQueryBody } from 'interface/api/nextApi';
 import { uuid } from 'lib/crypto';
 import { useAuth, useCors } from 'lib/middleware';
 import { NextApiResponse } from 'next';
-import { getRandomChars, methodNotAllowed, ok } from 'next-basics';
-import { createWebsiteByUser, getAllWebsites, getWebsitesByUserId } from 'queries';
+import { methodNotAllowed, ok } from 'next-basics';
+import { createWebsite, getAllWebsites, getWebsitesByUserId } from 'queries';
 
 export interface WebsitesRequestQuery {
   include_all?: boolean;
@@ -12,7 +13,8 @@ export interface WebsitesRequestQuery {
 export interface WebsitesRequestBody {
   name: string;
   domain: string;
-  enableShareUrl: boolean;
+  shareId: string;
+  teamId?: string;
 }
 
 export default async (
@@ -36,10 +38,22 @@ export default async (
   }
 
   if (req.method === 'POST') {
-    const { name, domain, enableShareUrl } = req.body;
+    const { name, domain, shareId, teamId } = req.body;
 
-    const shareId = enableShareUrl ? getRandomChars(8) : null;
-    const website = await createWebsiteByUser(userId, { id: uuid(), name, domain, shareId });
+    const data: Prisma.WebsiteCreateInput = {
+      id: uuid(),
+      name,
+      domain,
+      shareId,
+    };
+
+    if (teamId) {
+      data.teamId = teamId;
+    } else {
+      data.userId = userId;
+    }
+
+    const website = await createWebsite(data);
 
     return ok(res, website);
   }