Merge branch 'dev' into feat/um-114-roles-and-permissions

2026-02-20 04:25:39 +01:00 · 2022-12-01 20:30:46 -08:00 · 2022-12-01 20:30:46 -08:00 · ab9f403448
commit ab9f403448
parent 3085bdd713
28 changed files with 345 additions and 412 deletions
--- a/lib/auth.ts
+++ b/lib/auth.ts
@ -1,9 +1,10 @@
+import { UserRole } from '@prisma/client';
 import debug from 'debug';
 import cache from 'lib/cache';
 import { SHARE_TOKEN_HEADER, UmamiApi } from 'lib/constants';
 import { secret } from 'lib/crypto';
 import { parseSecureToken, parseToken } from 'next-basics';
-import { getPermissionsByUserId, getTeamPermissionsByUserId } from 'queries';
+import { getTeamUser, getUserRoles } from 'queries';

 const log = debug('umami:auth');

@ -48,45 +49,123 @@ export function isValidToken(token, validation) {
  return false;
 }

-export async function allowQuery(
-  requestUserId: string,
-  type: UmamiApi.AuthType,
-  typeId?: string,
-  permission?: UmamiApi.Permission,
-) {
-  if (type === UmamiApi.AuthType.Website) {
-    const website = await cache.fetchWebsite(typeId);
+export async function canViewWebsite(userId: string, websiteId: string) {
+  const website = await cache.fetchWebsite(websiteId);

-    if (website && website.userId === requestUserId) {
-      return true;
-    }
-
-    if (website.teamId) {
-      return checkTeamPermission(requestUserId, typeId, permission);
-    }
-
-    return false;
-  } else if (type === UmamiApi.AuthType.User) {
-    if (requestUserId !== typeId) {
-      return checkUserPermission(requestUserId, permission || UmamiApi.Permission.Admin);
-    }
-
-    return requestUserId === typeId;
-  } else if (type === UmamiApi.AuthType.Team) {
-    return checkTeamPermission(requestUserId, typeId, permission);
+  if (website.userId) {
+    return userId === website.userId;
  }

-  return false;
+  if (website.teamId) {
+    const teamUser = await getTeamUser({ userId, teamId: website.teamId });
+
+    checkPermission(UmamiApi.Permission.websiteUpdate, teamUser.role as keyof UmamiApi.Roles);
+  }
+
+  return checkAdmin(userId);
 }

-export async function checkUserPermission(userId: string, type: UmamiApi.Permission) {
-  const userRole = await getPermissionsByUserId(userId, type);
+export async function canUpdateWebsite(userId: string, websiteId: string) {
+  const website = await cache.fetchWebsite(websiteId);

-  return userRole.length > 0;
+  if (website.userId) {
+    return userId === website.userId;
+  }
+
+  if (website.teamId) {
+    const teamUser = await getTeamUser({ userId, teamId: website.teamId });
+
+    checkPermission(UmamiApi.Permission.websiteUpdate, teamUser.role as keyof UmamiApi.Roles);
+  }
+
+  return checkAdmin(userId);
 }

-export async function checkTeamPermission(userId, teamId: string, type: UmamiApi.Permission) {
-  const userRole = await getTeamPermissionsByUserId(userId, teamId, type);
+export async function canDeleteWebsite(userId: string, websiteId: string) {
+  const website = await cache.fetchWebsite(websiteId);

-  return userRole.length > 0;
+  if (website.userId) {
+    return userId === website.userId;
+  }
+
+  if (website.teamId) {
+    const teamUser = await getTeamUser({ userId, teamId: website.teamId });
+
+    if (checkPermission(UmamiApi.Permission.websiteDelete, teamUser.role as keyof UmamiApi.Roles)) {
+      return true;
+    }
+  }
+
+  return checkAdmin(userId);
+}
+
+// To-do: Implement when payments are setup.
+export async function canCreateTeam(userId: string) {
+  return !!userId;
+}
+
+// To-do: Implement when payments are setup.
+export async function canViewTeam(userId: string, teamId) {
+  const teamUser = await getTeamUser({ userId, teamId });
+  return !!teamUser;
+}
+
+export async function canUpdateTeam(userId: string, teamId: string) {
+  const teamUser = await getTeamUser({ userId, teamId });
+
+  if (checkPermission(UmamiApi.Permission.teamUpdate, teamUser.role as keyof UmamiApi.Roles)) {
+    return true;
+  }
+}
+
+export async function canDeleteTeam(userId: string, teamId: string) {
+  const teamUser = await getTeamUser({ userId, teamId });
+
+  if (checkPermission(UmamiApi.Permission.teamDelete, teamUser.role as keyof UmamiApi.Roles)) {
+    return true;
+  }
+}
+
+export async function canCreateUser(userId: string) {
+  return checkAdmin(userId);
+}
+
+export async function canViewUser(userId: string, viewedUserId: string) {
+  if (userId === viewedUserId) {
+    return true;
+  }
+
+  return checkAdmin(userId);
+}
+
+export async function canViewUsers(userId: string) {
+  return checkAdmin(userId);
+}
+
+export async function canUpdateUser(userId: string, viewedUserId: string) {
+  if (userId === viewedUserId) {
+    return true;
+  }
+
+  return checkAdmin(userId);
+}
+
+export async function canUpdateUserRole(userId: string) {
+  return checkAdmin(userId);
+}
+
+export async function canDeleteUser(userId: string) {
+  return checkAdmin(userId);
+}
+
+export async function checkPermission(permission: UmamiApi.Permission, role: keyof UmamiApi.Roles) {
+  return UmamiApi.Roles[role].permissions.some(a => a === permission);
+}
+
+export async function checkAdmin(userId: string, userRoles?: UserRole[]) {
+  if (!userRoles) {
+    userRoles = await getUserRoles({ userId });
+  }
+
+  return userRoles.some(a => a.role === UmamiApi.Role.Admin);
 }