From fdafe13c35913d8936b23f350c653dfe775e0ad5 Mon Sep 17 00:00:00 2001 From: Mike Cao Date: Sat, 24 Jan 2026 19:13:49 -0800 Subject: [PATCH] Block share token from all editing permissions. Co-Authored-By: Claude Opus 4.5 --- src/permissions/entity.ts | 14 +++++++++++++- src/permissions/link.ts | 14 +++++++++++++- src/permissions/pixel.ts | 14 +++++++++++++- src/permissions/team.ts | 26 +++++++++++++++++++++++++- src/permissions/user.ts | 14 +++++++++++--- src/permissions/website.ts | 16 ++++++++++++++-- 6 files changed, 89 insertions(+), 9 deletions(-) diff --git a/src/permissions/entity.ts b/src/permissions/entity.ts index a9194d2c..bab804dd 100644 --- a/src/permissions/entity.ts +++ b/src/permissions/entity.ts @@ -5,7 +5,11 @@ import type { Auth } from '@/lib/types'; import { getTeamUser } from '@/queries/prisma'; export async function canViewEntity({ user }: Auth, entityId: string) { - if (user?.isAdmin) { + if (!user) { + return false; + } + + if (user.isAdmin) { return true; } @@ -25,6 +29,10 @@ export async function canViewEntity({ user }: Auth, entityId: string) { } export async function canUpdateEntity({ user }: Auth, entityId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -45,6 +53,10 @@ export async function canUpdateEntity({ user }: Auth, entityId: string) { } export async function canDeleteEntity({ user }: Auth, entityId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } diff --git a/src/permissions/link.ts b/src/permissions/link.ts index c027a0b6..8dd1d7c6 100644 --- a/src/permissions/link.ts +++ b/src/permissions/link.ts @@ -4,7 +4,11 @@ import type { Auth } from '@/lib/types'; import { getLink, getTeamUser } from '@/queries/prisma'; export async function canViewLink({ user }: Auth, linkId: string) { - if (user?.isAdmin) { + if (!user) { + return false; + } + + if (user.isAdmin) { return true; } @@ -24,6 +28,10 @@ export async function canViewLink({ user }: Auth, linkId: string) { } export async function canUpdateLink({ user }: Auth, linkId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -44,6 +52,10 @@ export async function canUpdateLink({ user }: Auth, linkId: string) { } export async function canDeleteLink({ user }: Auth, linkId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } diff --git a/src/permissions/pixel.ts b/src/permissions/pixel.ts index 2131874f..14b69ace 100644 --- a/src/permissions/pixel.ts +++ b/src/permissions/pixel.ts @@ -4,7 +4,11 @@ import type { Auth } from '@/lib/types'; import { getPixel, getTeamUser } from '@/queries/prisma'; export async function canViewPixel({ user }: Auth, pixelId: string) { - if (user?.isAdmin) { + if (!user) { + return false; + } + + if (user.isAdmin) { return true; } @@ -24,6 +28,10 @@ export async function canViewPixel({ user }: Auth, pixelId: string) { } export async function canUpdatePixel({ user }: Auth, pixelId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -44,6 +52,10 @@ export async function canUpdatePixel({ user }: Auth, pixelId: string) { } export async function canDeletePixel({ user }: Auth, pixelId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } diff --git a/src/permissions/team.ts b/src/permissions/team.ts index 784dbe4b..130290af 100644 --- a/src/permissions/team.ts +++ b/src/permissions/team.ts @@ -4,6 +4,10 @@ import type { Auth } from '@/lib/types'; import { getTeamUser } from '@/queries/prisma'; export async function canViewTeam({ user }: Auth, teamId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -12,6 +16,10 @@ export async function canViewTeam({ user }: Auth, teamId: string) { } export async function canCreateTeam({ user }: Auth) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -20,6 +28,10 @@ export async function canCreateTeam({ user }: Auth) { } export async function canUpdateTeam({ user }: Auth, teamId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -30,6 +42,10 @@ export async function canUpdateTeam({ user }: Auth, teamId: string) { } export async function canDeleteTeam({ user }: Auth, teamId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -40,6 +56,10 @@ export async function canDeleteTeam({ user }: Auth, teamId: string) { } export async function canDeleteTeamUser({ user }: Auth, teamId: string, removeUserId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -54,6 +74,10 @@ export async function canDeleteTeamUser({ user }: Auth, teamId: string, removeUs } export async function canCreateTeamWebsite({ user }: Auth, teamId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -64,5 +88,5 @@ export async function canCreateTeamWebsite({ user }: Auth, teamId: string) { } export async function canViewAllTeams({ user }: Auth) { - return user.isAdmin; + return user?.isAdmin ?? false; } diff --git a/src/permissions/user.ts b/src/permissions/user.ts index 2ed8f276..8aa453ae 100644 --- a/src/permissions/user.ts +++ b/src/permissions/user.ts @@ -1,10 +1,14 @@ import type { Auth } from '@/lib/types'; export async function canCreateUser({ user }: Auth) { - return user.isAdmin; + return user?.isAdmin ?? false; } export async function canViewUser({ user }: Auth, viewedUserId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -13,10 +17,14 @@ export async function canViewUser({ user }: Auth, viewedUserId: string) { } export async function canViewUsers({ user }: Auth) { - return user.isAdmin; + return user?.isAdmin ?? false; } export async function canUpdateUser({ user }: Auth, viewedUserId: string) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -25,5 +33,5 @@ export async function canUpdateUser({ user }: Auth, viewedUserId: string) { } export async function canDeleteUser({ user }: Auth) { - return user.isAdmin; + return user?.isAdmin ?? false; } diff --git a/src/permissions/website.ts b/src/permissions/website.ts index a68b05cd..9ad25ae5 100644 --- a/src/permissions/website.ts +++ b/src/permissions/website.ts @@ -15,7 +15,7 @@ export async function canViewWebsite({ user, shareToken }: Auth, websiteId: stri const entity = await getEntity(websiteId); - if (!entity) { + if (!entity || !user) { return false; } @@ -33,10 +33,14 @@ export async function canViewWebsite({ user, shareToken }: Auth, websiteId: stri } export async function canViewAllWebsites({ user }: Auth) { - return user.isAdmin; + return user?.isAdmin ?? false; } export async function canCreateWebsite({ user }: Auth) { + if (!user) { + return false; + } + if (user.isAdmin) { return true; } @@ -101,6 +105,10 @@ export async function canDeleteWebsite({ user }: Auth, websiteId: string) { } export async function canTransferWebsiteToUser({ user }: Auth, websiteId: string, userId: string) { + if (!user) { + return false; + } + const website = await getWebsite(websiteId); if (!website) { @@ -117,6 +125,10 @@ export async function canTransferWebsiteToUser({ user }: Auth, websiteId: string } export async function canTransferWebsiteToTeam({ user }: Auth, websiteId: string, teamId: string) { + if (!user) { + return false; + } + const website = await getWebsite(websiteId); if (!website) {