Merge branch 'dev' of https://github.com/umami-software/umami into dev

lib/auth.ts

@@ -187,19 +187,17 @@ export async function canDeleteTeam({ user }: Auth, teamId: string) {
   return false;
 }
 
-export async function canDeleteTeamUser({ user }: Auth, teamUserId: string) {
+export async function canDeleteTeamUser({ user }: Auth, teamId: string, removeUserId: string) {
   if (user.isAdmin) {
     return true;
   }
 
-  if (validate(teamUserId)) {
-    const removeUser = await getTeamUserById(teamUserId);
-
-    if (removeUser.userId === user.id) {
+  if (validate(teamId) && validate(removeUserId)) {
+    if (removeUserId === user.id) {
       return true;
     }
 
-    const teamUser = await getTeamUser(removeUser.teamId, user.id);
+    const teamUser = await getTeamUser(teamId, user.id);
 
     return hasPermission(teamUser.role, PERMISSIONS.teamUpdate);
   }

pages/api/teamUsers/[id].ts

@@ -1,28 +0,0 @@
-import { canDeleteTeamUser } from 'lib/auth';
-import { useAuth } from 'lib/middleware';
-import { NextApiRequestQueryBody } from 'lib/types';
-import { NextApiResponse } from 'next';
-import { methodNotAllowed, ok, unauthorized } from 'next-basics';
-import { deleteTeamUser } from 'queries/admin/teamUser';
-
-export interface TeamUserRequestQuery {
-  id: string;
-}
-
-export default async (req: NextApiRequestQueryBody<TeamUserRequestQuery>, res: NextApiResponse) => {
-  await useAuth(req, res);
-
-  const { id: teamUserId } = req.query;
-
-  if (req.method === 'DELETE') {
-    if (!(await canDeleteTeamUser(req.auth, teamUserId))) {
-      return unauthorized(res);
-    }
-
-    const websites = await deleteTeamUser(teamUserId);
-
-    return ok(res, websites);
-  }
-
-  return methodNotAllowed(res);
-};

pages/api/teams/[id]/users.ts

@@ -1,5 +1,5 @@
 import { NextApiRequestQueryBody } from 'lib/types';
-import { canUpdateTeam, canViewTeam } from 'lib/auth';
+import { canDeleteTeamUser, canUpdateTeam, canViewTeam } from 'lib/auth';
 import { useAuth } from 'lib/middleware';
 import { NextApiResponse } from 'next';
 import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
@@ -12,7 +12,7 @@ export interface TeamUserRequestQuery {
 export interface TeamUserRequestBody {
   email: string;
   roleId: string;
-  teamUserId?: string;
+  userId?: string;
 }
 
 export default async (
@@ -53,12 +53,13 @@ export default async (
   }
 
   if (req.method === 'DELETE') {
-    if (await canUpdateTeam(req.auth, teamId)) {
+    const { userId } = req.body;
+
+    if (await canDeleteTeamUser(req.auth, teamId, userId)) {
       return unauthorized(res, 'You must be the owner of this team.');
     }
-    const { teamUserId } = req.body;
 
-    await deleteTeamUser(teamUserId);
+    await deleteTeamUser(teamId, userId);
 
     return ok(res);
   }

queries/admin/teamUser.ts

@@ -62,23 +62,22 @@ export async function updateTeamUser(
   });
 }
 
-export async function deleteTeamUser(teamUserId: string): Promise<TeamUser> {
+export async function deleteTeamUser(teamId: string, userId: string): Promise<TeamUser> {
   const { client, transaction } = prisma;
 
-  const teamUser = await getTeamUserById(teamUserId);
-
   return transaction([
     client.teamWebsite.deleteMany({
       where: {
-        teamId: teamUser.teamId,
+        teamId: teamId,
         website: {
-          userId: teamUser.userId,
+          userId: userId,
         },
       },
     }),
     client.teamUser.deleteMany({
       where: {
-        id: teamUserId,
+        teamId,
+        userId,
       },
     }),
   ]);

queries/analytics/event/getEvents.ts

@@ -32,7 +32,8 @@ function clickhouseQuery(websiteId: string, startAt: Date, eventType: number) {
       session_id as sessionId,
       created_at as createdAt,
       toUnixTimestamp(created_at) as timestamp,
-      url_path,
+      url_path as urlPath,
+      referrer_domain as referrerDomain,
       event_name as eventName
     from website_event
     where event_type = {eventType:UInt32}