Update security for dashboard and details pages.

2025-12-08 05:12:36 +01:00 · 2020-09-17 11:40:04 -07:00 · 2020-09-17 11:40:04 -07:00 · bff8806b61
commit bff8806b61
parent ecd2593063
7 changed files with 40 additions and 40 deletions
--- a/pages/api/website/[id].js
+++ b/pages/api/website/[id].js
@ -1,31 +0,0 @@
-import { deleteWebsite, getWebsiteById } from 'lib/queries';
-import { useAuth } from 'lib/middleware';
-import { methodNotAllowed, ok, unauthorized } from 'lib/response';
-
-export default async (req, res) => {
-  const { id } = req.query;
-  const website_id = +id;
-
-  if (req.method === 'GET') {
-    const website = await getWebsiteById(website_id);
-
-    return ok(res, website);
-  }
-
-  if (req.method === 'DELETE') {
-    await useAuth(req, res);
-    const { user_id, is_admin } = req.auth;
-
-    const website = await getWebsiteById(website_id);
-
-    if (website.user_id === user_id || is_admin) {
-      await deleteWebsite(website_id);
-
-      return ok(res);
-    }
-
-    return unauthorized(res);
-  }
-
-  return methodNotAllowed(res);
-};
--- a/pages/api/website/[id]/index.js
+++ b/pages/api/website/[id]/index.js
@ -0,0 +1,31 @@
+import { deleteWebsite, getWebsiteById } from 'lib/queries';
+import { useAuth } from 'lib/middleware';
+import { methodNotAllowed, ok, unauthorized } from 'lib/response';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { user_id, is_admin } = req.auth;
+  const { id, share_id } = req.query;
+  const websiteId = +id;
+
+  const website = await getWebsiteById(websiteId);
+
+  if (req.method === 'GET') {
+    if (is_admin || website.user_id === user_id || (share_id && website.share_id === share_id)) {
+      return ok(res, website);
+    }
+    return unauthorized(res);
+  }
+
+  if (req.method === 'DELETE') {
+    if (is_admin || website.user_id === user_id) {
+      await deleteWebsite(websiteId);
+
+      return ok(res);
+    }
+    return unauthorized(res);
+  }
+
+  return methodNotAllowed(res);
+};
--- a/pages/api/websites.js
+++ b/pages/api/websites.js
@ -5,15 +5,15 @@ import { ok, methodNotAllowed, unauthorized } from 'lib/response';
 export default async (req, res) => {
  await useAuth(req, res);

-  const { user_id, is_admin } = req.auth;
-  const { userId } = req.query;
+  const { user_id: current_user_id, is_admin } = req.auth;
+  const { user_id } = req.query;

  if (req.method === 'GET') {
-    if (userId && !is_admin) {
+    if (user_id && !is_admin) {
      return unauthorized(res);
    }

-    const websites = await getUserWebsites(+userId || user_id);
+    const websites = await getUserWebsites(+user_id || current_user_id);

    return ok(res, websites);
  }