watson/umami
1
0
Fork 0
mirror of https://github.com/umami-software/umami.git synced 2026-02-04 04:37:11 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Updated roles and permissions logic.

Browse source
This commit is contained in:
Mike Cao 2022-12-06 18:36:41 -08:00
parent 4eb3140e43
commit b57ecf33e6
63 changed files with 432 additions and 546 deletions
Download patch file Download diff file Expand all files Collapse all files

2
pages/api/auth/login.ts
View file

@ -10,7 +10,7 @@ import {
import { getUser, User } from 'queries';
import { secret } from 'lib/crypto';
import redis from 'lib/redis';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next';
export interface LoginRequestBody {

2
pages/api/auth/verify.ts
View file

@ -1,4 +1,4 @@
import { NextApiRequestAuth } from 'interface/api/nextApi';
import { NextApiRequestAuth } from 'lib/types';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';
import { ok } from 'next-basics';

4
pages/api/realtime/init.ts
View file

@ -1,6 +1,6 @@
import { subMinutes } from 'date-fns';
import { RealtimeInit } from 'interface/api/models';
import { NextApiRequestAuth } from 'interface/api/nextApi';
import { RealtimeInit } from 'lib/types';
import { NextApiRequestAuth } from 'lib/types';
import { secret } from 'lib/crypto';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';

4
pages/api/realtime/update.ts
View file

@ -3,9 +3,9 @@ import { useAuth } from 'lib/middleware';
import { getRealtimeData } from 'queries';
import { SHARE_TOKEN_HEADER } from 'lib/constants';
import { secret } from 'lib/crypto';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next';
import { RealtimeUpdate } from 'interface/api/models';
import { RealtimeUpdate } from 'lib/types';
export interface InitUpdateRequestQuery {
start_at: string;

2
pages/api/share/[id].ts
View file

@ -1,4 +1,4 @@
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { NextApiRequestQueryBody } from 'lib/types';
import { secret } from 'lib/crypto';
import { NextApiResponse } from 'next';
import { createToken, methodNotAllowed, notFound, ok } from 'next-basics';

8
pages/api/teams/[id]/index.ts
View file

@ -1,5 +1,5 @@
import { Team } from '@prisma/client';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { NextApiRequestQueryBody } from 'lib/types';
import { canDeleteTeam, canUpdateTeam, canViewTeam } from 'lib/auth';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';
@ -26,7 +26,7 @@ export default async (
const { id: teamId } = req.query;
if (req.method === 'GET') {
if (await canViewTeam(userId, teamId)) {
if (!(await canViewTeam(userId, teamId))) {
return unauthorized(res);
}
@ -38,7 +38,7 @@ export default async (
if (req.method === 'POST') {
const { name } = req.body;
if (await canUpdateTeam(userId, teamId)) {
if (!(await canUpdateTeam(userId, teamId))) {
return unauthorized(res, 'You must be the owner of this team.');
}
@ -48,7 +48,7 @@ export default async (
}
if (req.method === 'DELETE') {
if (await canDeleteTeam(userId, teamId)) {
if (!(await canDeleteTeam(userId, teamId))) {
return unauthorized(res, 'You must be the owner of this team.');
}

12
pages/api/teams/[id]/user.ts → pages/api/teams/[id]/users.ts
View file

@ -1,9 +1,9 @@
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { NextApiRequestQueryBody } from 'lib/types';
import { canUpdateTeam, canViewTeam } from 'lib/auth';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createTeamUser, deleteTeamUser, getUser, getUsersByTeamId } from 'queries';
import { createTeamUser, deleteTeamUser, getUser, getTeamUsers } from 'queries';
export interface TeamUserRequestQuery {
id: string;
@ -27,17 +27,17 @@ export default async (
const { id: teamId } = req.query;
if (req.method === 'GET') {
if (await canViewTeam(userId, teamId)) {
if (!(await canViewTeam(userId, teamId))) {
return unauthorized(res);
}
const user = await getUsersByTeamId({ teamId });
const users = await getTeamUsers(teamId);
return ok(res, user);
return ok(res, users);
}
if (req.method === 'POST') {
if (await canUpdateTeam(userId, teamId)) {
if (!(await canUpdateTeam(userId, teamId))) {
return unauthorized(res, 'You must be the owner of this team.');
}

12
pages/api/teams/[id]/website.ts → pages/api/teams/[id]/websites.ts
View file

@ -1,9 +1,9 @@
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { canViewTeam } from 'lib/auth';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import { getWebsitesByTeamId } from 'queries';
import { NextApiRequestQueryBody } from 'lib/types';
import { canViewTeam } from 'lib/auth';
import { useAuth } from 'lib/middleware';
import { getTeamWebsites } from 'queries/admin/team';
export interface TeamWebsiteRequestQuery {
id: string;
@ -30,9 +30,9 @@ export default async (
return unauthorized(res);
}
const website = await getWebsitesByTeamId({ teamId });
const websites = await getTeamWebsites(teamId);
return ok(res, website);
return ok(res, websites);
}
return methodNotAllowed(res);

19
pages/api/teams/index.ts
View file

@ -1,14 +1,14 @@
import { Team } from '@prisma/client';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { NextApiRequestQueryBody } from 'lib/types';
import { canCreateTeam } from 'lib/auth';
import { uuid } from 'lib/crypto';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createTeam, getTeam, getTeamsByUserId } from 'queries';
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createTeam, getUserTeams } from 'queries';
export interface TeamsRequestBody {
name: string;
description: string;
}
export default async (
@ -22,27 +22,22 @@ export default async (
} = req.auth;
if (req.method === 'GET') {
const teams = await getTeamsByUserId(userId);
const teams = await getUserTeams(userId);
return ok(res, teams);
}
if (req.method === 'POST') {
if (await canCreateTeam(userId)) {
if (!(await canCreateTeam(userId))) {
return unauthorized(res);
}
const { name } = req.body;
const team = await getTeam({ name });
if (team) {
return badRequest(res, 'Team already exists');
}
const created = await createTeam({
id: uuid(),
name,
userId,
});
return ok(res, created);

10
pages/api/users/[id]/index.ts
View file

@ -1,5 +1,5 @@
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { canDeleteUser, canUpdateUser, canViewUser, checkAdmin } from 'lib/auth';
import { NextApiRequestQueryBody } from 'lib/types';
import { canUpdateUser, canViewUser } from 'lib/auth';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';
import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
@ -21,7 +21,7 @@ export default async (
await useAuth(req, res);
const {
user: { id: userId },
user: { id: userId, isAdmin },
} = req.auth;
const { id } = req.query;
@ -51,7 +51,7 @@ export default async (
}
// Only admin can change these fields
if (username && (await checkAdmin(userId))) {
if (username && isAdmin) {
data.username = username;
}
@ -70,7 +70,7 @@ export default async (
}
if (req.method === 'DELETE') {
if (canDeleteUser(userId)) {
if (isAdmin) {
return unauthorized(res);
}

2
pages/api/users/[id]/password.ts
View file

@ -1,4 +1,4 @@
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { NextApiRequestQueryBody } from 'lib/types';
import { canUpdateUser } from 'lib/auth';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';

62
pages/api/users/[id]/role.ts
View file

@ -1,62 +0,0 @@
import { UserRole } from '@prisma/client';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { canUpdateUserRole } from 'lib/auth';
import { Role } from 'lib/types';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
import { deleteUserRole, getUserRole, getUserRoles, updateUserRole } from 'queries';
export interface UserRoleRequestQuery {
id: string;
}
export interface UserRoleRequestBody {
role: Role;
userRoleId?: string;
}
export default async (
req: NextApiRequestQueryBody<UserRoleRequestQuery, UserRoleRequestBody>,
res: NextApiResponse<UserRole>,
) => {
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id } = req.query;
if (await canUpdateUserRole(userId)) {
return unauthorized(res);
}
if (req.method === 'GET') {
const userRole = await getUserRoles({ userId: id });
return ok(res, userRole);
}
if (req.method === 'POST') {
const { role } = req.body;
const userRole = await getUserRole({ userId: id });
if (userRole && userRole.role === role) {
return badRequest(res, 'Role already exists for User.');
} else {
const updated = await updateUserRole({ role }, { id: userRole.id });
return ok(res, updated);
}
}
if (req.method === 'DELETE') {
const { userRoleId } = req.body;
const updated = await deleteUserRole(userRoleId);
return ok(res, updated);
}
return methodNotAllowed(res);
};

57
pages/api/users/[id]/websites.ts Normal file
View file

@ -0,0 +1,57 @@
import { Prisma } from '@prisma/client';
import { NextApiRequestQueryBody } from 'lib/types';
import { uuid } from 'lib/crypto';
import { useAuth, useCors } from 'lib/middleware';
import { NextApiResponse } from 'next';
import { methodNotAllowed, ok } from 'next-basics';
import { createWebsite, getUserWebsites } from 'queries';
export interface WebsitesRequestQuery {}
export interface WebsitesRequestBody {
name: string;
domain: string;
shareId: string;
teamId?: string;
}
export default async (
req: NextApiRequestQueryBody<WebsitesRequestQuery, WebsitesRequestBody>,
res: NextApiResponse,
) => {
await useCors(req, res);
await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
if (req.method === 'GET') {
const websites = await getUserWebsites(userId);
return ok(res, websites);
}
if (req.method === 'POST') {
const { name, domain, shareId, teamId } = req.body;
const data: Prisma.WebsiteUncheckedCreateInput = {
id: uuid(),
name,
domain,
shareId,
};
if (teamId) {
data.teamId = teamId;
} else {
data.userId = userId;
}
const website = await createWebsite(data);
return ok(res, website);
}
return methodNotAllowed(res);
};

15
pages/api/users/index.ts
View file

@ -1,7 +1,7 @@
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { canCreateUser, canViewUsers } from 'lib/auth';
import { NextApiRequestQueryBody } from 'lib/types';
import { uuid } from 'lib/crypto';
import { useAuth } from 'lib/middleware';
import { ROLES } from 'lib/constants';
import { NextApiResponse } from 'next';
import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createUser, getUser, getUsers, User } from 'queries';
@ -19,11 +19,11 @@ export default async (
await useAuth(req, res);
const {
user: { id: userId },
user: { isAdmin },
} = req.auth;
if (req.method === 'GET') {
if (canViewUsers(userId)) {
if (isAdmin) {
return unauthorized(res);
}
@ -33,15 +33,15 @@ export default async (
}
if (req.method === 'POST') {
if (canCreateUser(userId)) {
if (isAdmin) {
return unauthorized(res);
}
const { username, password, id } = req.body;
const user = await getUser({ username });
const existingUser = await getUser({ username });
if (user) {
if (existingUser) {
return badRequest(res, 'User already exists');
}
@ -49,6 +49,7 @@ export default async (
id: id || uuid(),
username,
password: hashPassword(password),
role: ROLES.user,
});
return ok(res, created);

4
pages/api/websites/[id]/active.ts
View file

@ -1,5 +1,5 @@
import { WebsiteActive } from 'interface/api/models';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { WebsiteActive } from 'lib/types';
import { NextApiRequestQueryBody } from 'lib/types';
import { canViewWebsite } from 'lib/auth';
import { useAuth, useCors } from 'lib/middleware';
import { NextApiResponse } from 'next';

4
pages/api/websites/[id]/eventdata.ts
View file

@ -1,5 +1,5 @@
import { WebsiteMetric } from 'interface/api/models';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { WebsiteMetric } from 'lib/types';
import { NextApiRequestQueryBody } from 'lib/types';
import { canViewWebsite } from 'lib/auth';
import { useAuth, useCors } from 'lib/middleware';
import { NextApiResponse } from 'next';

4
pages/api/websites/[id]/events.ts
View file

@ -1,5 +1,5 @@
import { WebsiteMetric } from 'interface/api/models';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { WebsiteMetric } from 'lib/types';
import { NextApiRequestQueryBody } from 'lib/types';
import { canViewWebsite } from 'lib/auth';
import { useAuth, useCors } from 'lib/middleware';
import moment from 'moment-timezone';

4
pages/api/websites/[id]/index.ts
View file

@ -1,5 +1,5 @@
import { Website } from 'interface/api/models';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { Website } from 'lib/types';
import { NextApiRequestQueryBody } from 'lib/types';
import { canViewWebsite, canUpdateWebsite, canDeleteWebsite } from 'lib/auth';
import { useAuth, useCors } from 'lib/middleware';
import { NextApiResponse } from 'next';

4
pages/api/websites/[id]/metrics.ts
View file

@ -1,5 +1,5 @@
import { WebsiteMetric } from 'interface/api/models';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { WebsiteMetric } from 'lib/types';
import { NextApiRequestQueryBody } from 'lib/types';
import { canViewWebsite } from 'lib/auth';
import { FILTER_IGNORED } from 'lib/constants';
import { useAuth, useCors } from 'lib/middleware';

3
pages/api/websites/[id]/pageviews.ts
View file

@ -1,5 +1,4 @@
import { WebsitePageviews } from 'interface/api/models';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { NextApiRequestQueryBody, WebsitePageviews } from 'lib/types';
import { canViewWebsite } from 'lib/auth';
import { useAuth, useCors } from 'lib/middleware';
import moment from 'moment-timezone';

2
pages/api/websites/[id]/reset.ts
View file

@ -1,4 +1,4 @@
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { NextApiRequestQueryBody } from 'lib/types';
import { canViewWebsite } from 'lib/auth';
import { useAuth, useCors } from 'lib/middleware';
import { NextApiResponse } from 'next';

4
pages/api/websites/[id]/stats.ts
View file

@ -1,5 +1,5 @@
import { WebsiteStats } from 'interface/api/models';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { WebsiteStats } from 'lib/types';
import { NextApiRequestQueryBody } from 'lib/types';
import { canViewWebsite } from 'lib/auth';
import { useAuth, useCors } from 'lib/middleware';
import { NextApiResponse } from 'next';

16
pages/api/websites/index.ts
View file

@ -1,15 +1,12 @@
import { Prisma } from '@prisma/client';
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
import { checkAdmin } from 'lib/auth';
import { NextApiRequestQueryBody } from 'lib/types';
import { uuid } from 'lib/crypto';
import { useAuth, useCors } from 'lib/middleware';
import { NextApiResponse } from 'next';
import { methodNotAllowed, ok } from 'next-basics';
import { createWebsite, getAllWebsites, getWebsitesByUserId } from 'queries';
import { createWebsite, getUserWebsites } from 'queries';
export interface WebsitesRequestQuery {
include_all?: boolean;
}
export interface WebsitesRequestQuery {}
export interface WebsitesRequestBody {
name: string;
@ -30,12 +27,7 @@ export default async (
} = req.auth;
if (req.method === 'GET') {
const { include_all } = req.query;
const isAdmin = await checkAdmin(userId);
const websites =
isAdmin && include_all ? await getAllWebsites() : await getWebsitesByUserId(userId);
const websites = await getUserWebsites(userId);
return ok(res, websites);
}