watson/umami
1
0
Fork 0
mirror of https://github.com/umami-software/umami.git synced 2026-02-04 04:37:11 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Block share token users from modifying reports via API.

Browse source 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Mike Cao 2026-01-24 15:06:39 -08:00
parent 801a3ec6bb
commit e782c2e627
2 changed files with 14 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/permissions/report.ts
View file

@ -3,11 +3,11 @@ import type { Auth } from '@/lib/types';
import { canViewWebsite } from './website';
export async function canViewReport(auth: Auth, report: Report) {
if (auth.user.isAdmin) {
if (auth.user?.isAdmin) {
return true;
}
if (auth.user.id === report.userId) {
if (auth.user?.id === report.userId) {
return true;
}
@ -15,6 +15,10 @@ export async function canViewReport(auth: Auth, report: Report) {
}
export async function canUpdateReport({ user }: Auth, report: Report) {
if (!user) {
return false;
}
if (user.isAdmin) {
return true;
}

8
src/permissions/website.ts
View file

@ -45,6 +45,10 @@ export async function canCreateWebsite({ user }: Auth) {
}
export async function canUpdateWebsite({ user }: Auth, websiteId: string) {
if (!user) {
return false;
}
if (user.isAdmin) {
return true;
}
@ -69,6 +73,10 @@ export async function canUpdateWebsite({ user }: Auth, websiteId: string) {
}
export async function canDeleteWebsite({ user }: Auth, websiteId: string) {
if (!user) {
return false;
}
if (user.isAdmin) {
return true;
}