Fix share URL permissions. (#1745)

* Fix share URL permissions.

* Add sql param logic.

* Add permissions to edit website.

* Update permissions.

* Move parameters to param injection.

* Sanitize eventdata.

* Remove caret.

* Fix avg.

queries/analytics/pageview/getPageviewParams.js

@@ -9,8 +9,8 @@ export async function getPageviewParams(...args) {
 }
 
 async function relationalQuery(websiteId, start_at, end_at, column, table, filters = {}) {
-  const { parseFilters, rawQuery } = prisma;
-  const params = [start_at, end_at];
+  const { parseFilters, rawQuery, toUuid } = prisma;
+  const params = [websiteId, start_at, end_at];
   const { pageviewQuery, sessionQuery, eventQuery, joinSession } = parseFilters(
     table,
     column,
@@ -24,8 +24,8 @@ async function relationalQuery(websiteId, start_at, end_at, column, table, filte
     from ${table}
       ${` join website on ${table}.website_id = website.website_id`}
       ${joinSession}
-    where website.website_uuid='${websiteId}'
-      and ${table}.created_at between $1 and $2
+    where website.website_uuid = $1${toUuid()}
+      and ${table}.created_at between $2 and $3
       and ${table}.url like '%?%'
       ${pageviewQuery}
       ${joinSession && sessionQuery}