Block share token users from modifying reports via API.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 04:37:11 +01:00 · 2026-01-24 15:06:39 -08:00 · 2026-01-24 15:06:39 -08:00 · e782c2e627
commit e782c2e627
parent 801a3ec6bb
2 changed files with 14 additions and 2 deletions
--- a/src/permissions/report.ts
+++ b/src/permissions/report.ts
@ -3,11 +3,11 @@ import type { Auth } from '@/lib/types';
 import { canViewWebsite } from './website';
 export async function canViewReport(auth: Auth, report: Report) {
-  if (auth.user.isAdmin) {
+  if (auth.user?.isAdmin) {
    return true;
  }
-  if (auth.user.id === report.userId) {
+  if (auth.user?.id === report.userId) {
    return true;
  }
@ -15,6 +15,10 @@ export async function canViewReport(auth: Auth, report: Report) {
 }
 export async function canUpdateReport({ user }: Auth, report: Report) {
  if (!user) {
    return false;
  }
  if (user.isAdmin) {
    return true;
  }
--- a/src/permissions/website.ts
+++ b/src/permissions/website.ts
@ -45,6 +45,10 @@ export async function canCreateWebsite({ user }: Auth) {
 }
 export async function canUpdateWebsite({ user }: Auth, websiteId: string) {
  if (!user) {
    return false;
  }
  if (user.isAdmin) {
    return true;
  }
@ -69,6 +73,10 @@ export async function canUpdateWebsite({ user }: Auth, websiteId: string) {
 }
 export async function canDeleteWebsite({ user }: Auth, websiteId: string) {
  if (!user) {
    return false;
  }
  if (user.isAdmin) {
    return true;
  }