Updated roles and permissions logic.

2026-02-04 12:47:13 +01:00 · 2022-12-06 18:36:41 -08:00 · 2022-12-06 18:36:41 -08:00 · b57ecf33e6
commit b57ecf33e6
parent 4eb3140e43
63 changed files with 432 additions and 546 deletions
--- a/lib/auth.ts
+++ b/lib/auth.ts
@ -1,11 +1,9 @@
-import { parseSecureToken, parseToken } from 'next-basics';
-import { UserRole } from '@prisma/client';
+import { parseSecureToken, parseToken, ensureArray } from 'next-basics';
 import debug from 'debug';
 import cache from 'lib/cache';
-import { SHARE_TOKEN_HEADER } from 'lib/constants';
+import { SHARE_TOKEN_HEADER, PERMISSIONS, ROLE_PERMISSIONS } from 'lib/constants';
 import { secret } from 'lib/crypto';
-import { Permission, Roles } from 'lib/types';
-import { getTeamUser, getUserRoles } from 'queries';
+import { getTeamUser } from 'queries';

 const log = debug('umami:auth');

@ -58,12 +56,10 @@ export async function canViewWebsite(userId: string, websiteId: string) {
  }

  if (website.teamId) {
-    const teamUser = await getTeamUser({ userId, teamId: website.teamId });
-
-    checkPermission(Permission.websiteUpdate, teamUser.role);
+    return getTeamUser(website.teamId, userId);
  }

-  return checkAdmin(userId);
+  return false;
 }

 export async function canUpdateWebsite(userId: string, websiteId: string) {
@ -74,12 +70,12 @@ export async function canUpdateWebsite(userId: string, websiteId: string) {
  }

  if (website.teamId) {
-    const teamUser = await getTeamUser({ userId, teamId: website.teamId });
+    const teamUser = await getTeamUser(website.teamId, userId);

-    checkPermission(Permission.websiteUpdate, teamUser.role);
+    return hasPermission(teamUser.role, PERMISSIONS.websiteUpdate);
  }

-  return checkAdmin(userId);
+  return false;
 }

 export async function canDeleteWebsite(userId: string, websiteId: string) {
@ -90,14 +86,12 @@ export async function canDeleteWebsite(userId: string, websiteId: string) {
  }

  if (website.teamId) {
-    const teamUser = await getTeamUser({ userId, teamId: website.teamId });
+    const teamUser = await getTeamUser(website.teamId, userId);

-    if (checkPermission(Permission.websiteDelete, teamUser.role)) {
-      return true;
-    }
+    return hasPermission(teamUser.role, PERMISSIONS.websiteDelete);
  }

-  return checkAdmin(userId);
+  return false;
 }

 // To-do: Implement when payments are setup.
@ -107,66 +101,29 @@ export async function canCreateTeam(userId: string) {

 // To-do: Implement when payments are setup.
 export async function canViewTeam(userId: string, teamId) {
-  const teamUser = await getTeamUser({ userId, teamId });
-  return !!teamUser;
+  return getTeamUser(teamId, userId);
 }

 export async function canUpdateTeam(userId: string, teamId: string) {
-  const teamUser = await getTeamUser({ userId, teamId });
+  const teamUser = await getTeamUser(teamId, userId);

-  if (checkPermission(Permission.teamUpdate, teamUser.role)) {
-    return true;
-  }
+  return hasPermission(teamUser.role, PERMISSIONS.teamUpdate);
 }

 export async function canDeleteTeam(userId: string, teamId: string) {
-  const teamUser = await getTeamUser({ userId, teamId });
+  const teamUser = await getTeamUser(teamId, userId);

-  if (checkPermission(Permission.teamDelete, teamUser.role)) {
-    return true;
-  }
-}
-
-export async function canCreateUser(userId: string) {
-  return checkAdmin(userId);
+  return hasPermission(teamUser.role, PERMISSIONS.teamDelete);
 }

 export async function canViewUser(userId: string, viewedUserId: string) {
-  if (userId === viewedUserId) {
-    return true;
-  }
-
-  return checkAdmin(userId);
-}
-
-export async function canViewUsers(userId: string) {
-  return checkAdmin(userId);
+  return userId === viewedUserId;
 }

 export async function canUpdateUser(userId: string, viewedUserId: string) {
-  if (userId === viewedUserId) {
-    return true;
-  }
-
-  return checkAdmin(userId);
+  return userId === viewedUserId;
 }

-export async function canUpdateUserRole(userId: string) {
-  return checkAdmin(userId);
-}
-
-export async function canDeleteUser(userId: string) {
-  return checkAdmin(userId);
-}
-
-export async function checkPermission(permission: Permission, role: string) {
-  return Roles[role].permissions.some(a => a === permission);
-}
-
-export async function checkAdmin(userId: string, userRoles?: UserRole[]) {
-  if (!userRoles) {
-    userRoles = await getUserRoles({ userId });
-  }
-
-  return userRoles.some(a => a.role === Roles.admin.name);
+export async function hasPermission(role: string, permission: string | string[]) {
+  return ensureArray(permission).some(e => ROLE_PERMISSIONS[role]?.includes(e));
 }
--- a/lib/constants.ts
+++ b/lib/constants.ts
@ -22,6 +22,52 @@ export const DEFAULT_WEBSITE_LIMIT = 10;
 export const REALTIME_RANGE = 30;
 export const REALTIME_INTERVAL = 3000;

+export const EVENT_TYPE = {
+  pageView: 1,
+  customEvent: 2,
+};
+
+export const ROLES = {
+  admin: 'admin',
+  user: 'user',
+  teamOwner: 'team-owner',
+  teamMember: 'team-member',
+  teamGuest: 'team-guest',
+};
+
+export const PERMISSIONS = {
+  all: 'all',
+  websiteCreate: 'website:create',
+  websiteUpdate: 'website:update',
+  websiteDelete: 'website:delete',
+  teamCreate: 'team:create',
+  teamUpdate: 'team:update',
+  teamDelete: 'team:delete',
+};
+
+export const ROLE_PERMISSIONS = {
+  [ROLES.admin]: [PERMISSIONS.all],
+  [ROLES.user]: [
+    PERMISSIONS.websiteCreate,
+    PERMISSIONS.websiteUpdate,
+    PERMISSIONS.websiteDelete,
+    PERMISSIONS.teamCreate,
+  ],
+  [ROLES.teamOwner]: [
+    PERMISSIONS.teamUpdate,
+    PERMISSIONS.teamDelete,
+    PERMISSIONS.websiteCreate,
+    PERMISSIONS.websiteUpdate,
+    PERMISSIONS.websiteDelete,
+  ],
+  [ROLES.teamMember]: [
+    PERMISSIONS.websiteCreate,
+    PERMISSIONS.websiteUpdate,
+    PERMISSIONS.websiteDelete,
+  ],
+  [ROLES.teamGuest]: [],
+};
+
 export const THEME_COLORS = {
  light: {
    primary: '#2680eb',
--- a/lib/middleware.js
+++ b/lib/middleware.js
@ -6,6 +6,7 @@ import { findSession } from 'lib/session';
 import { getAuthToken, parseShareToken } from 'lib/auth';
 import { secret } from 'lib/crypto';
 import redis from 'lib/redis';
+import { ROLES } from 'lib/constants';
 import { getUser } from '../queries';

 const log = debug('umami:middleware');
@ -45,6 +46,10 @@ export const useAuth = createMiddleware(async (req, res, next) => {
    return unauthorized(res);
  }

+  if (user) {
+    user.isAdmin = user.role === ROLES.admin;
+  }
+
  req.auth = { user, token, shareToken, key };
  next();
 });
--- a/lib/redis.js
+++ b/lib/redis.js
@ -32,8 +32,6 @@ async function get(key) {

  const data = await redis.get(key);

-  log({ key, data });
-
  try {
    return JSON.parse(data);
  } catch {
--- a/lib/session.js
+++ b/lib/session.js
@ -40,7 +40,7 @@ export async function findSession(req) {
    website = await getWebsite({ id: websiteId });
  }

-  if (!website || website.isDeleted) {
+  if (!website || website.deletedAt) {
    throw new Error(`Website not found: ${websiteId}`);
  }

--- a/lib/types.ts
+++ b/lib/types.ts
@ -1,57 +1,90 @@
-/* eslint-disable no-unused-vars */
-export enum EventType {
-  Pageview = 1,
-  Event = 2,
+import { NextApiRequest } from 'next';
+
+export interface Auth {
+  user?: {
+    id: string;
+    username: string;
+    role: string;
+    isAdmin: boolean;
+  };
+  shareToken?: string;
 }

-export enum AuthType {
-  Website,
-  User,
-  Team,
+export interface NextApiRequestQueryBody<TQuery = any, TBody = any> extends NextApiRequest {
+  auth?: Auth;
+  query: TQuery & { [key: string]: string | string[] };
+  body: TBody;
+  headers: any;
 }

-export enum Permission {
-  all = 'all',
-  websiteCreate = 'website:create',
-  websiteUpdate = 'website:update',
-  websiteDelete = 'website:delete',
-  teamCreate = 'team:create',
-  teamUpdate = 'team:update',
-  teamDelete = 'team:delete',
+export interface NextApiRequestAuth extends NextApiRequest {
+  auth?: Auth;
+  headers: any;
 }

-export enum Role {
-  Admin = 'admin',
-  User = 'user',
-  TeamOwner = 'team-owner',
-  TeamMember = 'team-member',
-  TeamGuest = 'team-guest',
+export interface Website {
+  id: string;
+  userId: string;
+  revId: number;
+  name: string;
+  domain: string;
+  shareId: string;
+  createdAt: Date;
 }

-export const Roles = {
-  admin: { name: Role.Admin, permissions: [Permission.all] },
-  member: {
-    name: Role.User,
-    permissions: [
-      Permission.websiteCreate,
-      Permission.websiteUpdate,
-      Permission.websiteDelete,
-      Permission.teamCreate,
-    ],
-  },
-  teamOwner: {
-    name: Role.TeamOwner,
-    permissions: [
-      Permission.teamUpdate,
-      Permission.teamDelete,
-      Permission.websiteCreate,
-      Permission.websiteUpdate,
-      Permission.websiteDelete,
-    ],
-  },
-  teamMember: {
-    name: Role.TeamMember,
-    permissions: [Permission.websiteCreate, Permission.websiteUpdate, Permission.websiteDelete],
-  },
-  teamGuest: { name: Role.TeamGuest, permissions: [] },
-};
+export interface Share {
+  id: string;
+  token: string;
+}
+
+export interface Empty {}
+
+export interface WebsiteActive {
+  x: number;
+}
+
+export interface WebsiteEventDataMetric {
+  [key: string]: number;
+}
+
+export interface WebsiteMetric {
+  x: string;
+  y: number;
+}
+
+export interface WebsiteEventMetric {
+  x: string;
+  t: string;
+  y: number;
+}
+
+export interface WebsitePageviews {
+  pageviews: {
+    t: string;
+    y: number;
+  };
+  sessions: {
+    t: string;
+    y: number;
+  };
+}
+
+export interface WebsiteStats {
+  pageviews: { value: number; change: number };
+  uniques: { value: number; change: number };
+  bounces: { value: number; change: number };
+  totalTime: { value: number; change: number };
+}
+
+export interface RealtimeInit {
+  websites: Website[];
+  token: string;
+  data: RealtimeUpdate;
+}
+
+export interface RealtimeUpdate {
+  pageviews: any[];
+  sessions: any[];
+  events: any[];
+  timestamp: number;
+}