watson/umami
1
0
Fork 0
mirror of https://github.com/umami-software/umami.git synced 2026-02-09 15:17:23 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fix share URL permissions. (#1745)

Browse source 
* Fix share URL permissions.

* Add sql param logic.

* Add permissions to edit website.

* Update permissions.

* Move parameters to param injection.

* Sanitize eventdata.

* Remove caret.

* Fix avg.
This commit is contained in:
Brian Cao 2023-01-18 15:09:49 -08:00 committed by GitHub
parent 558ce268a0
commit 922c3acab3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 139 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

2
pages/api/accounts/[id]/password.js
View file

@ -17,7 +17,7 @@ export default async (req, res) => {
const { current_password, new_password } = req.body;
const { id: accountUuid } = req.query;
if (!(await allowQuery(req, TYPE_ACCOUNT))) {
if (!(await allowQuery(req, TYPE_ACCOUNT, false))) {
return unauthorized(res);
}

6
pages/api/realtime/init.js
View file

@ -1,5 +1,5 @@
import { subMinutes } from 'date-fns';
import { ok, methodNotAllowed, createToken } from 'next-basics';
import { ok, unauthorized, methodNotAllowed, createToken } from 'next-basics';
import { useAuth } from 'lib/middleware';
import { getUserWebsites, getRealtimeData } from 'queries';
import { secret } from 'lib/crypto';
@ -10,6 +10,10 @@ export default async (req, res) => {
if (req.method === 'GET') {
const { userId } = req.auth;
if (!userId) {
return unauthorized(res);
}
const websites = await getUserWebsites({ userId });
const ids = websites.map(({ websiteUuid }) => websiteUuid);
const token = createToken({ websites: ids }, secret());

14
pages/api/websites/[id]/index.js
View file

@ -10,17 +10,21 @@ export default async (req, res) => {
const { id: websiteUuid } = req.query;
if (!(await allowQuery(req, TYPE_WEBSITE))) {
return unauthorized(res);
}
if (req.method === 'GET') {
if (!(await allowQuery(req, TYPE_WEBSITE))) {
return unauthorized(res);
}
const website = await getWebsite({ websiteUuid });
return ok(res, website);
}
if (req.method === 'POST') {
if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
return unauthorized(res);
}
const { name, domain, owner, enableShareUrl, shareId } = req.body;
const { accountUuid } = req.auth;
@ -58,7 +62,7 @@ export default async (req, res) => {
}
if (req.method === 'DELETE') {
if (!(await allowQuery(req, TYPE_WEBSITE))) {
if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
return unauthorized(res);
}

2
pages/api/websites/[id]/reset.js
View file

@ -11,7 +11,7 @@ export default async (req, res) => {
const { id: websiteId } = req.query;
if (req.method === 'POST') {
if (!(await allowQuery(req, TYPE_WEBSITE))) {
if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
return unauthorized(res);
}

3
pages/api/websites/index.js
View file

@ -7,6 +7,7 @@ export default async (req, res) => {
await useAuth(req, res);
const { user_id, include_all } = req.query;
const { userId: currentUserId, isAdmin } = req.auth;
const accountUuid = user_id || req.auth.accountUuid;
let account;
@ -18,7 +19,7 @@ export default async (req, res) => {
const userId = account ? account.id : user_id;
if (req.method === 'GET') {
if (userId && userId !== currentUserId && !isAdmin) {
if (!userId || (userId !== currentUserId && !isAdmin)) {
return unauthorized(res);
}