Fix share URL permissions. (#1745)

* Fix share URL permissions.

* Add sql param logic.

* Add permissions to edit website.

* Update permissions.

* Move parameters to param injection.

* Sanitize eventdata.

* Remove caret.

* Fix avg.

queries/analytics/stats/getActiveVisitors.js

@@ -11,16 +11,17 @@ export async function getActiveVisitors(...args) {
 }
 
 async function relationalQuery(websiteId) {
+  const { rawQuery, toUuid } = prisma;
   const date = subMinutes(new Date(), 5);
-  const params = [date];
+  const params = [websiteId, date];
 
-  return prisma.rawQuery(
+  return rawQuery(
     `select count(distinct session_id) x
     from pageview
       join website 
         on pageview.website_id = website.website_id
-    where website.website_uuid = '${websiteId}'
-    and pageview.created_at >= $1`,
+    where website.website_uuid = $1${toUuid()}
+    and pageview.created_at >= $2`,
     params,
   );
 }

queries/analytics/stats/getWebsiteStats.js

@@ -10,8 +10,8 @@ export async function getWebsiteStats(...args) {
 }
 
 async function relationalQuery(websiteId, { start_at, end_at, filters = {} }) {
-  const { getDateQuery, getTimestampInterval, parseFilters, rawQuery } = prisma;
-  const params = [start_at, end_at];
+  const { getDateQuery, getTimestampInterval, parseFilters, rawQuery, toUuid } = prisma;
+  const params = [websiteId, start_at, end_at];
   const { pageviewQuery, sessionQuery, joinSession } = parseFilters(
     'pageview',
     null,
@@ -33,8 +33,8 @@ async function relationalQuery(websiteId, { start_at, end_at, filters = {} }) {
           join website 
             on pageview.website_id = website.website_id
           ${joinSession}
-        where website.website_uuid='${websiteId}'
-          and pageview.created_at between $1 and $2
+        where website.website_uuid = $1${toUuid()}
+          and pageview.created_at between $2 and $3
           ${pageviewQuery}
           ${sessionQuery}
         group by 1, 2