mirror of
https://github.com/umami-software/umami.git
synced 2026-02-20 20:45:39 +01:00
Merge branch 'dev' into feat/um-114-roles-and-permissions
This commit is contained in:
Brian Cao
parent
3085bdd713
commit
ab9f403448
28 changed files with 345 additions and 412 deletions
145
lib/auth.ts
145
lib/auth.ts
|
|
@ -1,9 +1,10 @@
|
|||
import { UserRole } from '@prisma/client';
|
||||
import debug from 'debug';
|
||||
import cache from 'lib/cache';
|
||||
import { SHARE_TOKEN_HEADER, UmamiApi } from 'lib/constants';
|
||||
import { secret } from 'lib/crypto';
|
||||
import { parseSecureToken, parseToken } from 'next-basics';
|
||||
import { getPermissionsByUserId, getTeamPermissionsByUserId } from 'queries';
|
||||
import { getTeamUser, getUserRoles } from 'queries';
|
||||
|
||||
const log = debug('umami:auth');
|
||||
|
||||
|
|
@ -48,45 +49,123 @@ export function isValidToken(token, validation) {
|
|||
return false;
|
||||
}
|
||||
|
||||
export async function allowQuery(
|
||||
requestUserId: string,
|
||||
type: UmamiApi.AuthType,
|
||||
typeId?: string,
|
||||
permission?: UmamiApi.Permission,
|
||||
) {
|
||||
if (type === UmamiApi.AuthType.Website) {
|
||||
const website = await cache.fetchWebsite(typeId);
|
||||
export async function canViewWebsite(userId: string, websiteId: string) {
|
||||
const website = await cache.fetchWebsite(websiteId);
|
||||
|
||||
if (website && website.userId === requestUserId) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (website.teamId) {
|
||||
return checkTeamPermission(requestUserId, typeId, permission);
|
||||
}
|
||||
|
||||
return false;
|
||||
} else if (type === UmamiApi.AuthType.User) {
|
||||
if (requestUserId !== typeId) {
|
||||
return checkUserPermission(requestUserId, permission || UmamiApi.Permission.Admin);
|
||||
}
|
||||
|
||||
return requestUserId === typeId;
|
||||
} else if (type === UmamiApi.AuthType.Team) {
|
||||
return checkTeamPermission(requestUserId, typeId, permission);
|
||||
if (website.userId) {
|
||||
return userId === website.userId;
|
||||
}
|
||||
|
||||
return false;
|
||||
if (website.teamId) {
|
||||
const teamUser = await getTeamUser({ userId, teamId: website.teamId });
|
||||
|
||||
checkPermission(UmamiApi.Permission.websiteUpdate, teamUser.role as keyof UmamiApi.Roles);
|
||||
}
|
||||
|
||||
return checkAdmin(userId);
|
||||
}
|
||||
|
||||
export async function checkUserPermission(userId: string, type: UmamiApi.Permission) {
|
||||
const userRole = await getPermissionsByUserId(userId, type);
|
||||
export async function canUpdateWebsite(userId: string, websiteId: string) {
|
||||
const website = await cache.fetchWebsite(websiteId);
|
||||
|
||||
return userRole.length > 0;
|
||||
if (website.userId) {
|
||||
return userId === website.userId;
|
||||
}
|
||||
|
||||
if (website.teamId) {
|
||||
const teamUser = await getTeamUser({ userId, teamId: website.teamId });
|
||||
|
||||
checkPermission(UmamiApi.Permission.websiteUpdate, teamUser.role as keyof UmamiApi.Roles);
|
||||
}
|
||||
|
||||
return checkAdmin(userId);
|
||||
}
|
||||
|
||||
export async function checkTeamPermission(userId, teamId: string, type: UmamiApi.Permission) {
|
||||
const userRole = await getTeamPermissionsByUserId(userId, teamId, type);
|
||||
export async function canDeleteWebsite(userId: string, websiteId: string) {
|
||||
const website = await cache.fetchWebsite(websiteId);
|
||||
|
||||
return userRole.length > 0;
|
||||
if (website.userId) {
|
||||
return userId === website.userId;
|
||||
}
|
||||
|
||||
if (website.teamId) {
|
||||
const teamUser = await getTeamUser({ userId, teamId: website.teamId });
|
||||
|
||||
if (checkPermission(UmamiApi.Permission.websiteDelete, teamUser.role as keyof UmamiApi.Roles)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return checkAdmin(userId);
|
||||
}
|
||||
|
||||
// To-do: Implement when payments are setup.
|
||||
export async function canCreateTeam(userId: string) {
|
||||
return !!userId;
|
||||
}
|
||||
|
||||
// To-do: Implement when payments are setup.
|
||||
export async function canViewTeam(userId: string, teamId) {
|
||||
const teamUser = await getTeamUser({ userId, teamId });
|
||||
return !!teamUser;
|
||||
}
|
||||
|
||||
export async function canUpdateTeam(userId: string, teamId: string) {
|
||||
const teamUser = await getTeamUser({ userId, teamId });
|
||||
|
||||
if (checkPermission(UmamiApi.Permission.teamUpdate, teamUser.role as keyof UmamiApi.Roles)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
export async function canDeleteTeam(userId: string, teamId: string) {
|
||||
const teamUser = await getTeamUser({ userId, teamId });
|
||||
|
||||
if (checkPermission(UmamiApi.Permission.teamDelete, teamUser.role as keyof UmamiApi.Roles)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
export async function canCreateUser(userId: string) {
|
||||
return checkAdmin(userId);
|
||||
}
|
||||
|
||||
export async function canViewUser(userId: string, viewedUserId: string) {
|
||||
if (userId === viewedUserId) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return checkAdmin(userId);
|
||||
}
|
||||
|
||||
export async function canViewUsers(userId: string) {
|
||||
return checkAdmin(userId);
|
||||
}
|
||||
|
||||
export async function canUpdateUser(userId: string, viewedUserId: string) {
|
||||
if (userId === viewedUserId) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return checkAdmin(userId);
|
||||
}
|
||||
|
||||
export async function canUpdateUserRole(userId: string) {
|
||||
return checkAdmin(userId);
|
||||
}
|
||||
|
||||
export async function canDeleteUser(userId: string) {
|
||||
return checkAdmin(userId);
|
||||
}
|
||||
|
||||
export async function checkPermission(permission: UmamiApi.Permission, role: keyof UmamiApi.Roles) {
|
||||
return UmamiApi.Roles[role].permissions.some(a => a === permission);
|
||||
}
|
||||
|
||||
export async function checkAdmin(userId: string, userRoles?: UserRole[]) {
|
||||
if (!userRoles) {
|
||||
userRoles = await getUserRoles({ userId });
|
||||
}
|
||||
|
||||
return userRoles.some(a => a.role === UmamiApi.Role.Admin);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
import { User, Website } from '@prisma/client';
|
||||
import redis, { DELETED } from 'lib/redis';
|
||||
import redis from 'lib/redis';
|
||||
import { getSession, getUser, getWebsite } from '../queries';
|
||||
|
||||
async function fetchObject(key, query) {
|
||||
|
|
@ -23,7 +23,7 @@ async function storeObject(key, data) {
|
|||
}
|
||||
|
||||
async function deleteObject(key) {
|
||||
return redis.set(key, DELETED);
|
||||
return redis.set(key, redis.DELETED);
|
||||
}
|
||||
|
||||
async function fetchWebsite(id): Promise<Website> {
|
||||
|
|
|
|||
|
|
@ -12,27 +12,54 @@ export namespace UmamiApi {
|
|||
}
|
||||
|
||||
export enum Permission {
|
||||
Admin = 'admin',
|
||||
WebsiteCreate = 'website:create',
|
||||
WebsiteRead = 'website:read',
|
||||
WebsiteUpdate = 'website:update',
|
||||
WebsiteReset = 'website:reset',
|
||||
WebsiteDelete = 'website:delete',
|
||||
TeamCreate = 'team:create',
|
||||
TeamUpdate = 'team:update',
|
||||
TeamDelete = 'team:delete',
|
||||
TeamAddUser = 'team:add-user',
|
||||
TeamRemoveUser = 'team:remove-user',
|
||||
all = 'all',
|
||||
websiteCreate = 'website:create',
|
||||
websiteUpdate = 'website:update',
|
||||
websiteDelete = 'website:delete',
|
||||
teamCreate = 'team:create',
|
||||
teamUpdate = 'team:update',
|
||||
teamDelete = 'team:delete',
|
||||
}
|
||||
|
||||
export enum Role {
|
||||
Admin = 'Admin',
|
||||
Member = 'Member',
|
||||
TeamOwner = 'Team Owner',
|
||||
TeamMember = 'Team Member',
|
||||
TeamGuest = 'Team Guest,',
|
||||
Admin = 'admin',
|
||||
User = 'user',
|
||||
TeamOwner = 'team-owner',
|
||||
TeamMember = 'team-member',
|
||||
TeamGuest = 'team-guest',
|
||||
}
|
||||
|
||||
export const Roles = {
|
||||
admin: { name: Role.Admin, permissions: [Permission.all] },
|
||||
member: {
|
||||
name: Role.User,
|
||||
permissions: [
|
||||
Permission.websiteCreate,
|
||||
Permission.websiteUpdate,
|
||||
Permission.websiteDelete,
|
||||
Permission.teamCreate,
|
||||
],
|
||||
},
|
||||
teamOwner: {
|
||||
name: Role.TeamOwner,
|
||||
permissions: [
|
||||
Permission.teamUpdate,
|
||||
Permission.teamDelete,
|
||||
Permission.websiteCreate,
|
||||
Permission.websiteUpdate,
|
||||
Permission.websiteDelete,
|
||||
],
|
||||
},
|
||||
teamMember: {
|
||||
name: Role.TeamMember,
|
||||
permissions: [Permission.websiteCreate, Permission.websiteUpdate, Permission.websiteDelete],
|
||||
},
|
||||
teamGuest: { name: Role.TeamGuest, permissions: [] },
|
||||
};
|
||||
|
||||
export type Roles = typeof Roles;
|
||||
}
|
||||
|
||||
export const CURRENT_VERSION = process.env.currentVersion;
|
||||
export const AUTH_TOKEN = 'umami.auth';
|
||||
export const LOCALE_CONFIG = 'umami.locale';
|
||||
|
|
@ -56,9 +83,6 @@ export const DEFAULT_WEBSITE_LIMIT = 10;
|
|||
export const REALTIME_RANGE = 30;
|
||||
export const REALTIME_INTERVAL = 3000;
|
||||
|
||||
export const TYPE_WEBSITE = 'website';
|
||||
export const TYPE_USER = 'user';
|
||||
|
||||
export const THEME_COLORS = {
|
||||
light: {
|
||||
primary: '#2680eb',
|
||||
|
|
|
|||
10
lib/redis.js
10
lib/redis.js
|
|
@ -3,16 +3,18 @@ import debug from 'debug';
|
|||
|
||||
const log = debug('umami:redis');
|
||||
const REDIS = Symbol();
|
||||
const DELETED = 'DELETED';
|
||||
|
||||
let redis;
|
||||
const enabled = Boolean(process.env.REDIS_URL);
|
||||
const url = process.env.REDIS_URL;
|
||||
const enabled = Boolean(url);
|
||||
|
||||
async function getClient() {
|
||||
if (!process.env.REDIS_URL) {
|
||||
if (!enabled) {
|
||||
return null;
|
||||
}
|
||||
|
||||
const client = createClient({ url: process.env.REDIS_URL });
|
||||
const client = createClient({ url });
|
||||
client.on('error', err => log(err));
|
||||
await client.connect();
|
||||
|
||||
|
|
@ -59,4 +61,4 @@ async function connect() {
|
|||
return redis;
|
||||
}
|
||||
|
||||
export default { enabled, client: redis, log, connect, get, set, del };
|
||||
export default { enabled, client: redis, log, connect, get, set, del, DELETED };
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue