Merge branch 'dev' of https://github.com/umami-software/umami into feat/um-138-remove-prisma-foreign-key

This commit is contained in:
Francis Cao 2022-12-27 16:52:04 -08:00
commit 1472e205a3
20 changed files with 133 additions and 98 deletions

View File

@ -1,9 +1,10 @@
import { parseSecureToken, parseToken, ensureArray } from 'next-basics';
import debug from 'debug'; import debug from 'debug';
import cache from 'lib/cache'; import cache from 'lib/cache';
import { SHARE_TOKEN_HEADER, PERMISSIONS, ROLE_PERMISSIONS } from 'lib/constants'; import { PERMISSIONS, ROLE_PERMISSIONS, SHARE_TOKEN_HEADER } from 'lib/constants';
import { secret } from 'lib/crypto'; import { secret } from 'lib/crypto';
import { ensureArray, parseSecureToken, parseToken } from 'next-basics';
import { getTeamUser } from 'queries'; import { getTeamUser } from 'queries';
import { Auth } from './types';
const log = debug('umami:auth'); const log = debug('umami:auth');
@ -48,29 +49,51 @@ export function isValidToken(token, validation) {
return false; return false;
} }
export async function canViewWebsite(userId: string, websiteId: string) { export async function canViewWebsite({ user }: Auth, websiteId: string) {
if (user.isAdmin) {
return true;
}
const website = await cache.fetchWebsite(websiteId); const website = await cache.fetchWebsite(websiteId);
if (website.userId) { if (website.userId) {
return userId === website.userId; return user.id === website.userId;
} }
if (website.teamId) { if (website.teamId) {
return getTeamUser(website.teamId, userId); return getTeamUser(website.teamId, user.id);
} }
return false; return false;
} }
export async function canUpdateWebsite(userId: string, websiteId: string) { export async function canCreateWebsite({ user }: Auth, teamId?: string) {
if (user.isAdmin) {
return true;
}
if (teamId) {
const teamUser = await getTeamUser(teamId, user.id);
return hasPermission(teamUser.role, PERMISSIONS.websiteCreate);
}
return hasPermission(user.role, PERMISSIONS.websiteCreate);
}
export async function canUpdateWebsite({ user }: Auth, websiteId: string) {
if (user.isAdmin) {
return true;
}
const website = await cache.fetchWebsite(websiteId); const website = await cache.fetchWebsite(websiteId);
if (website.userId) { if (website.userId) {
return userId === website.userId; return user.id === website.userId;
} }
if (website.teamId) { if (website.teamId) {
const teamUser = await getTeamUser(website.teamId, userId); const teamUser = await getTeamUser(website.teamId, user.id);
return hasPermission(teamUser.role, PERMISSIONS.websiteUpdate); return hasPermission(teamUser.role, PERMISSIONS.websiteUpdate);
} }
@ -78,15 +101,19 @@ export async function canUpdateWebsite(userId: string, websiteId: string) {
return false; return false;
} }
export async function canDeleteWebsite(userId: string, websiteId: string) { export async function canDeleteWebsite({ user }: Auth, websiteId: string) {
if (user.isAdmin) {
return true;
}
const website = await cache.fetchWebsite(websiteId); const website = await cache.fetchWebsite(websiteId);
if (website.userId) { if (website.userId) {
return userId === website.userId; return user.id === website.userId;
} }
if (website.teamId) { if (website.teamId) {
const teamUser = await getTeamUser(website.teamId, userId); const teamUser = await getTeamUser(website.teamId, user.id);
return hasPermission(teamUser.role, PERMISSIONS.websiteDelete); return hasPermission(teamUser.role, PERMISSIONS.websiteDelete);
} }
@ -95,33 +122,69 @@ export async function canDeleteWebsite(userId: string, websiteId: string) {
} }
// To-do: Implement when payments are setup. // To-do: Implement when payments are setup.
export async function canCreateTeam(userId: string) { export async function canCreateTeam({ user }: Auth) {
return !!userId; if (user.isAdmin) {
return true;
}
return !!user;
} }
// To-do: Implement when payments are setup. // To-do: Implement when payments are setup.
export async function canViewTeam(userId: string, teamId) { export async function canViewTeam({ user }: Auth, teamId: string) {
return getTeamUser(teamId, userId); if (user.isAdmin) {
return true;
}
return getTeamUser(teamId, user.id);
} }
export async function canUpdateTeam(userId: string, teamId: string) { export async function canUpdateTeam({ user }: Auth, teamId: string) {
const teamUser = await getTeamUser(teamId, userId); if (user.isAdmin) {
return true;
}
const teamUser = await getTeamUser(teamId, user.id);
return hasPermission(teamUser.role, PERMISSIONS.teamUpdate); return hasPermission(teamUser.role, PERMISSIONS.teamUpdate);
} }
export async function canDeleteTeam(userId: string, teamId: string) { export async function canDeleteTeam({ user }: Auth, teamId: string) {
const teamUser = await getTeamUser(teamId, userId); if (user.isAdmin) {
return true;
}
const teamUser = await getTeamUser(teamId, user.id);
return hasPermission(teamUser.role, PERMISSIONS.teamDelete); return hasPermission(teamUser.role, PERMISSIONS.teamDelete);
} }
export async function canViewUser(userId: string, viewedUserId: string) { export async function canCreateUser({ user }: Auth) {
return userId === viewedUserId; return user.isAdmin;
} }
export async function canUpdateUser(userId: string, viewedUserId: string) { export async function canViewUser({ user }: Auth, viewedUserId: string) {
return userId === viewedUserId; if (user.isAdmin) {
return true;
}
return user.id === viewedUserId;
}
export async function canViewUsers({ user }: Auth) {
return user.isAdmin;
}
export async function canUpdateUser({ user }: Auth, viewedUserId: string) {
if (user.isAdmin) {
return true;
}
return user.id === viewedUserId;
}
export async function canDeleteUser({ user }: Auth) {
return user.isAdmin;
} }
export async function hasPermission(role: string, permission: string | string[]) { export async function hasPermission(role: string, permission: string | string[]) {

View File

@ -25,7 +25,7 @@ export const REALTIME_INTERVAL = 3000;
export const EVENT_TYPE = { export const EVENT_TYPE = {
pageView: 1, pageView: 1,
customEvent: 2, customEvent: 2,
}; } as const;
export const ROLES = { export const ROLES = {
admin: 'admin', admin: 'admin',
@ -43,7 +43,7 @@ export const PERMISSIONS = {
teamCreate: 'team:create', teamCreate: 'team:create',
teamUpdate: 'team:update', teamUpdate: 'team:update',
teamDelete: 'team:delete', teamDelete: 'team:delete',
}; } as const;
export const ROLE_PERMISSIONS = { export const ROLE_PERMISSIONS = {
[ROLES.admin]: [PERMISSIONS.all], [ROLES.admin]: [PERMISSIONS.all],
@ -66,7 +66,7 @@ export const ROLE_PERMISSIONS = {
PERMISSIONS.websiteDelete, PERMISSIONS.websiteDelete,
], ],
[ROLES.teamGuest]: [], [ROLES.teamGuest]: [],
}; } as const;
export const THEME_COLORS = { export const THEME_COLORS = {
light: { light: {

View File

@ -20,13 +20,10 @@ export default async (
) => { ) => {
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: teamId } = req.query; const { id: teamId } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (!(await canViewTeam(userId, teamId))) { if (!(await canViewTeam(req.auth, teamId))) {
return unauthorized(res); return unauthorized(res);
} }
@ -38,7 +35,7 @@ export default async (
if (req.method === 'POST') { if (req.method === 'POST') {
const { name } = req.body; const { name } = req.body;
if (!(await canUpdateTeam(userId, teamId))) { if (!(await canUpdateTeam(req.auth, teamId))) {
return unauthorized(res, 'You must be the owner of this team.'); return unauthorized(res, 'You must be the owner of this team.');
} }
@ -48,7 +45,7 @@ export default async (
} }
if (req.method === 'DELETE') { if (req.method === 'DELETE') {
if (!(await canDeleteTeam(userId, teamId))) { if (!(await canDeleteTeam(req.auth, teamId))) {
return unauthorized(res, 'You must be the owner of this team.'); return unauthorized(res, 'You must be the owner of this team.');
} }

View File

@ -21,13 +21,10 @@ export default async (
) => { ) => {
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: teamId } = req.query; const { id: teamId } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (!(await canViewTeam(userId, teamId))) { if (!(await canViewTeam(req.auth, teamId))) {
return unauthorized(res); return unauthorized(res);
} }
@ -37,7 +34,7 @@ export default async (
} }
if (req.method === 'POST') { if (req.method === 'POST') {
if (!(await canUpdateTeam(userId, teamId))) { if (!(await canUpdateTeam(req.auth, teamId))) {
return unauthorized(res, 'You must be the owner of this team.'); return unauthorized(res, 'You must be the owner of this team.');
} }
@ -56,7 +53,7 @@ export default async (
} }
if (req.method === 'DELETE') { if (req.method === 'DELETE') {
if (await canUpdateTeam(userId, teamId)) { if (await canUpdateTeam(req.auth, teamId)) {
return unauthorized(res, 'You must be the owner of this team.'); return unauthorized(res, 'You must be the owner of this team.');
} }
const { teamUserId } = req.body; const { teamUserId } = req.body;

View File

@ -20,13 +20,10 @@ export default async (
) => { ) => {
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: teamId } = req.query; const { id: teamId } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (await canViewTeam(userId, teamId)) { if (await canViewTeam(req.auth, teamId)) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -28,7 +28,7 @@ export default async (
} }
if (req.method === 'POST') { if (req.method === 'POST') {
if (!(await canCreateTeam(userId))) { if (!(await canCreateTeam(req.auth))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -1,5 +1,5 @@
import { NextApiRequestQueryBody } from 'lib/types'; import { NextApiRequestQueryBody } from 'lib/types';
import { canUpdateUser, canViewUser } from 'lib/auth'; import { canDeleteUser, canUpdateUser, canViewUser } from 'lib/auth';
import { useAuth } from 'lib/middleware'; import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next'; import { NextApiResponse } from 'next';
import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics'; import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
@ -26,7 +26,7 @@ export default async (
const { id } = req.query; const { id } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (!isAdmin && !(await canViewUser(userId, id))) { if (!(await canViewUser(req.auth, id))) {
return unauthorized(res); return unauthorized(res);
} }
@ -36,7 +36,7 @@ export default async (
} }
if (req.method === 'POST') { if (req.method === 'POST') {
if (!isAdmin && !(await canUpdateUser(userId, id))) { if (!(await canUpdateUser(req.auth, id))) {
return unauthorized(res); return unauthorized(res);
} }
@ -71,7 +71,7 @@ export default async (
} }
if (req.method === 'DELETE') { if (req.method === 'DELETE') {
if (!isAdmin) { if (!(await canDeleteUser(req.auth))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -29,12 +29,9 @@ export default async (
const { currentPassword, newPassword } = req.body; const { currentPassword, newPassword } = req.body;
const { id } = req.query; const { id } = req.query;
const {
user: { id: userId, isAdmin },
} = req.auth;
if (req.method === 'POST') { if (req.method === 'POST') {
if (!isAdmin && !(await canUpdateUser(userId, id))) { if (!(await canUpdateUser(req.auth, id))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -1,9 +1,10 @@
import { Prisma } from '@prisma/client'; import { Prisma } from '@prisma/client';
import { NextApiRequestQueryBody } from 'lib/types'; import { canCreateWebsite } from 'lib/auth';
import { uuid } from 'lib/crypto'; import { uuid } from 'lib/crypto';
import { useAuth, useCors } from 'lib/middleware'; import { useAuth, useCors } from 'lib/middleware';
import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next'; import { NextApiResponse } from 'next';
import { methodNotAllowed, ok } from 'next-basics'; import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createWebsite, getUserWebsites } from 'queries'; import { createWebsite, getUserWebsites } from 'queries';
export interface WebsitesRequestQuery {} export interface WebsitesRequestQuery {}
@ -35,6 +36,10 @@ export default async (
if (req.method === 'POST') { if (req.method === 'POST') {
const { name, domain, shareId, teamId } = req.body; const { name, domain, shareId, teamId } = req.body;
if (!(await canCreateWebsite(req.auth, teamId))) {
return unauthorized(res);
}
const data: Prisma.WebsiteUncheckedCreateInput = { const data: Prisma.WebsiteUncheckedCreateInput = {
id: uuid(), id: uuid(),
name, name,

View File

@ -1,7 +1,8 @@
import { NextApiRequestQueryBody } from 'lib/types'; import { canCreateUser, canViewUsers } from 'lib/auth';
import { ROLES } from 'lib/constants';
import { uuid } from 'lib/crypto'; import { uuid } from 'lib/crypto';
import { useAuth } from 'lib/middleware'; import { useAuth } from 'lib/middleware';
import { ROLES } from 'lib/constants'; import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next'; import { NextApiResponse } from 'next';
import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics'; import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createUser, getUser, getUsers, User } from 'queries'; import { createUser, getUser, getUsers, User } from 'queries';
@ -18,12 +19,8 @@ export default async (
) => { ) => {
await useAuth(req, res); await useAuth(req, res);
const {
user: { isAdmin },
} = req.auth;
if (req.method === 'GET') { if (req.method === 'GET') {
if (!isAdmin) { if (!(await canViewUsers(req.auth))) {
return unauthorized(res); return unauthorized(res);
} }
@ -33,7 +30,7 @@ export default async (
} }
if (req.method === 'POST') { if (req.method === 'POST') {
if (!isAdmin) { if (!(await canCreateUser(req.auth))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -17,13 +17,10 @@ export default async (
await useCors(req, res); await useCors(req, res);
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId } = req.query; const { id: websiteId } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (await canViewWebsite(userId, websiteId)) { if (await canViewWebsite(req.auth, websiteId)) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -24,13 +24,10 @@ export default async (
await useCors(req, res); await useCors(req, res);
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId } = req.query; const { id: websiteId } = req.query;
if (req.method === 'POST') { if (req.method === 'POST') {
if (canViewWebsite(userId, websiteId)) { if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -25,13 +25,10 @@ export default async (
await useCors(req, res); await useCors(req, res);
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId, startAt, endAt, unit, tz, url, eventName } = req.query; const { id: websiteId, startAt, endAt, unit, tz, url, eventName } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (canViewWebsite(userId, websiteId)) { if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -22,13 +22,10 @@ export default async (
await useCors(req, res); await useCors(req, res);
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId } = req.query; const { id: websiteId } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (!(await canViewWebsite(userId, websiteId))) { if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res); return unauthorized(res);
} }
@ -38,7 +35,7 @@ export default async (
} }
if (req.method === 'POST') { if (req.method === 'POST') {
if (!(await canUpdateWebsite(userId, websiteId))) { if (!(await canUpdateWebsite(req.auth, websiteId))) {
return unauthorized(res); return unauthorized(res);
} }
@ -56,7 +53,7 @@ export default async (
} }
if (req.method === 'DELETE') { if (req.method === 'DELETE') {
if (!(await canDeleteWebsite(userId, websiteId))) { if (!(await canDeleteWebsite(req.auth, websiteId))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -55,9 +55,6 @@ export default async (
await useCors(req, res); await useCors(req, res);
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { const {
id: websiteId, id: websiteId,
type, type,
@ -72,7 +69,7 @@ export default async (
} = req.query; } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (!(await canViewWebsite(userId, websiteId))) { if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -30,9 +30,6 @@ export default async (
await useCors(req, res); await useCors(req, res);
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { const {
id: websiteId, id: websiteId,
startAt, startAt,
@ -48,7 +45,7 @@ export default async (
} = req.query; } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (!(await canViewWebsite(userId, websiteId))) { if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -16,13 +16,10 @@ export default async (
await useCors(req, res); await useCors(req, res);
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId } = req.query; const { id: websiteId } = req.query;
if (req.method === 'POST') { if (req.method === 'POST') {
if (!(await canViewWebsite(userId, websiteId))) { if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -26,13 +26,10 @@ export default async (
await useCors(req, res); await useCors(req, res);
await useAuth(req, res); await useAuth(req, res);
const {
user: { id: userId },
} = req.auth;
const { id: websiteId, startAt, endAt, url, referrer, os, browser, device, country } = req.query; const { id: websiteId, startAt, endAt, url, referrer, os, browser, device, country } = req.query;
if (req.method === 'GET') { if (req.method === 'GET') {
if (!(await canViewWebsite(userId, websiteId))) { if (!(await canViewWebsite(req.auth, websiteId))) {
return unauthorized(res); return unauthorized(res);
} }

View File

@ -1,9 +1,10 @@
import { Prisma } from '@prisma/client'; import { Prisma } from '@prisma/client';
import { NextApiRequestQueryBody } from 'lib/types'; import { canCreateWebsite } from 'lib/auth';
import { uuid } from 'lib/crypto'; import { uuid } from 'lib/crypto';
import { useAuth, useCors } from 'lib/middleware'; import { useAuth, useCors } from 'lib/middleware';
import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next'; import { NextApiResponse } from 'next';
import { methodNotAllowed, ok } from 'next-basics'; import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createWebsite, getUserWebsites } from 'queries'; import { createWebsite, getUserWebsites } from 'queries';
export interface WebsitesRequestQuery {} export interface WebsitesRequestQuery {}
@ -35,6 +36,10 @@ export default async (
if (req.method === 'POST') { if (req.method === 'POST') {
const { name, domain, shareId, teamId } = req.body; const { name, domain, shareId, teamId } = req.body;
if (!(await canCreateWebsite(req.auth, teamId))) {
return unauthorized(res);
}
const data: Prisma.WebsiteUncheckedCreateInput = { const data: Prisma.WebsiteUncheckedCreateInput = {
id: uuid(), id: uuid(),
name, name,

View File

@ -3,12 +3,13 @@ import Layout from 'components/layout/Layout';
import TestConsole from 'components/pages/TestConsole'; import TestConsole from 'components/pages/TestConsole';
import useRequireLogin from 'hooks/useRequireLogin'; import useRequireLogin from 'hooks/useRequireLogin';
import useUser from 'hooks/useUser'; import useUser from 'hooks/useUser';
import { ROLES } from 'lib/constants';
export default function ConsolePage({ pageDisabled }) { export default function ConsolePage({ pageDisabled }) {
const { loading } = useRequireLogin(); const { loading } = useRequireLogin();
const { user } = useUser(); const { user } = useUser();
if (pageDisabled || loading || !user?.isAdmin) { if (pageDisabled || loading || user?.role !== ROLES.admin) {
return null; return null;
} }