This commit is contained in:
Mike Cao 2023-04-08 01:36:21 -07:00
commit 45d3fa4016
5 changed files with 17 additions and 46 deletions

View File

@ -187,19 +187,17 @@ export async function canDeleteTeam({ user }: Auth, teamId: string) {
return false;
}
export async function canDeleteTeamUser({ user }: Auth, teamUserId: string) {
export async function canDeleteTeamUser({ user }: Auth, teamId: string, removeUserId: string) {
if (user.isAdmin) {
return true;
}
if (validate(teamUserId)) {
const removeUser = await getTeamUserById(teamUserId);
if (removeUser.userId === user.id) {
if (validate(teamId) && validate(removeUserId)) {
if (removeUserId === user.id) {
return true;
}
const teamUser = await getTeamUser(removeUser.teamId, user.id);
const teamUser = await getTeamUser(teamId, user.id);
return hasPermission(teamUser.role, PERMISSIONS.teamUpdate);
}

View File

@ -1,28 +0,0 @@
import { canDeleteTeamUser } from 'lib/auth';
import { useAuth } from 'lib/middleware';
import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next';
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import { deleteTeamUser } from 'queries/admin/teamUser';
export interface TeamUserRequestQuery {
id: string;
}
export default async (req: NextApiRequestQueryBody<TeamUserRequestQuery>, res: NextApiResponse) => {
await useAuth(req, res);
const { id: teamUserId } = req.query;
if (req.method === 'DELETE') {
if (!(await canDeleteTeamUser(req.auth, teamUserId))) {
return unauthorized(res);
}
const websites = await deleteTeamUser(teamUserId);
return ok(res, websites);
}
return methodNotAllowed(res);
};

View File

@ -1,5 +1,5 @@
import { NextApiRequestQueryBody } from 'lib/types';
import { canUpdateTeam, canViewTeam } from 'lib/auth';
import { canDeleteTeamUser, canUpdateTeam, canViewTeam } from 'lib/auth';
import { useAuth } from 'lib/middleware';
import { NextApiResponse } from 'next';
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
@ -12,7 +12,7 @@ export interface TeamUserRequestQuery {
export interface TeamUserRequestBody {
email: string;
roleId: string;
teamUserId?: string;
userId?: string;
}
export default async (
@ -53,12 +53,13 @@ export default async (
}
if (req.method === 'DELETE') {
if (await canUpdateTeam(req.auth, teamId)) {
const { userId } = req.body;
if (await canDeleteTeamUser(req.auth, teamId, userId)) {
return unauthorized(res, 'You must be the owner of this team.');
}
const { teamUserId } = req.body;
await deleteTeamUser(teamUserId);
await deleteTeamUser(teamId, userId);
return ok(res);
}

View File

@ -62,23 +62,22 @@ export async function updateTeamUser(
});
}
export async function deleteTeamUser(teamUserId: string): Promise<TeamUser> {
export async function deleteTeamUser(teamId: string, userId: string): Promise<TeamUser> {
const { client, transaction } = prisma;
const teamUser = await getTeamUserById(teamUserId);
return transaction([
client.teamWebsite.deleteMany({
where: {
teamId: teamUser.teamId,
teamId: teamId,
website: {
userId: teamUser.userId,
userId: userId,
},
},
}),
client.teamUser.deleteMany({
where: {
id: teamUserId,
teamId,
userId,
},
}),
]);

View File

@ -32,7 +32,8 @@ function clickhouseQuery(websiteId: string, startAt: Date, eventType: number) {
session_id as sessionId,
created_at as createdAt,
toUnixTimestamp(created_at) as timestamp,
url_path,
url_path as urlPath,
referrer_domain as referrerDomain,
event_name as eventName
from website_event
where event_type = {eventType:UInt32}