mirror of
https://github.com/kremalicious/umami.git
synced 2024-12-24 18:26:20 +01:00
Merge branch 'dev' of https://github.com/umami-software/umami into dev
This commit is contained in:
commit
45d3fa4016
10
lib/auth.ts
10
lib/auth.ts
@ -187,19 +187,17 @@ export async function canDeleteTeam({ user }: Auth, teamId: string) {
|
||||
return false;
|
||||
}
|
||||
|
||||
export async function canDeleteTeamUser({ user }: Auth, teamUserId: string) {
|
||||
export async function canDeleteTeamUser({ user }: Auth, teamId: string, removeUserId: string) {
|
||||
if (user.isAdmin) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (validate(teamUserId)) {
|
||||
const removeUser = await getTeamUserById(teamUserId);
|
||||
|
||||
if (removeUser.userId === user.id) {
|
||||
if (validate(teamId) && validate(removeUserId)) {
|
||||
if (removeUserId === user.id) {
|
||||
return true;
|
||||
}
|
||||
|
||||
const teamUser = await getTeamUser(removeUser.teamId, user.id);
|
||||
const teamUser = await getTeamUser(teamId, user.id);
|
||||
|
||||
return hasPermission(teamUser.role, PERMISSIONS.teamUpdate);
|
||||
}
|
||||
|
@ -1,28 +0,0 @@
|
||||
import { canDeleteTeamUser } from 'lib/auth';
|
||||
import { useAuth } from 'lib/middleware';
|
||||
import { NextApiRequestQueryBody } from 'lib/types';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
import { deleteTeamUser } from 'queries/admin/teamUser';
|
||||
|
||||
export interface TeamUserRequestQuery {
|
||||
id: string;
|
||||
}
|
||||
|
||||
export default async (req: NextApiRequestQueryBody<TeamUserRequestQuery>, res: NextApiResponse) => {
|
||||
await useAuth(req, res);
|
||||
|
||||
const { id: teamUserId } = req.query;
|
||||
|
||||
if (req.method === 'DELETE') {
|
||||
if (!(await canDeleteTeamUser(req.auth, teamUserId))) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
const websites = await deleteTeamUser(teamUserId);
|
||||
|
||||
return ok(res, websites);
|
||||
}
|
||||
|
||||
return methodNotAllowed(res);
|
||||
};
|
@ -1,5 +1,5 @@
|
||||
import { NextApiRequestQueryBody } from 'lib/types';
|
||||
import { canUpdateTeam, canViewTeam } from 'lib/auth';
|
||||
import { canDeleteTeamUser, canUpdateTeam, canViewTeam } from 'lib/auth';
|
||||
import { useAuth } from 'lib/middleware';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
@ -12,7 +12,7 @@ export interface TeamUserRequestQuery {
|
||||
export interface TeamUserRequestBody {
|
||||
email: string;
|
||||
roleId: string;
|
||||
teamUserId?: string;
|
||||
userId?: string;
|
||||
}
|
||||
|
||||
export default async (
|
||||
@ -53,12 +53,13 @@ export default async (
|
||||
}
|
||||
|
||||
if (req.method === 'DELETE') {
|
||||
if (await canUpdateTeam(req.auth, teamId)) {
|
||||
const { userId } = req.body;
|
||||
|
||||
if (await canDeleteTeamUser(req.auth, teamId, userId)) {
|
||||
return unauthorized(res, 'You must be the owner of this team.');
|
||||
}
|
||||
const { teamUserId } = req.body;
|
||||
|
||||
await deleteTeamUser(teamUserId);
|
||||
await deleteTeamUser(teamId, userId);
|
||||
|
||||
return ok(res);
|
||||
}
|
||||
|
@ -62,23 +62,22 @@ export async function updateTeamUser(
|
||||
});
|
||||
}
|
||||
|
||||
export async function deleteTeamUser(teamUserId: string): Promise<TeamUser> {
|
||||
export async function deleteTeamUser(teamId: string, userId: string): Promise<TeamUser> {
|
||||
const { client, transaction } = prisma;
|
||||
|
||||
const teamUser = await getTeamUserById(teamUserId);
|
||||
|
||||
return transaction([
|
||||
client.teamWebsite.deleteMany({
|
||||
where: {
|
||||
teamId: teamUser.teamId,
|
||||
teamId: teamId,
|
||||
website: {
|
||||
userId: teamUser.userId,
|
||||
userId: userId,
|
||||
},
|
||||
},
|
||||
}),
|
||||
client.teamUser.deleteMany({
|
||||
where: {
|
||||
id: teamUserId,
|
||||
teamId,
|
||||
userId,
|
||||
},
|
||||
}),
|
||||
]);
|
||||
|
@ -32,7 +32,8 @@ function clickhouseQuery(websiteId: string, startAt: Date, eventType: number) {
|
||||
session_id as sessionId,
|
||||
created_at as createdAt,
|
||||
toUnixTimestamp(created_at) as timestamp,
|
||||
url_path,
|
||||
url_path as urlPath,
|
||||
referrer_domain as referrerDomain,
|
||||
event_name as eventName
|
||||
from website_event
|
||||
where event_type = {eventType:UInt32}
|
||||
|
Loading…
Reference in New Issue
Block a user