m/umami
1
0
Fork 0
mirror of https://github.com/kremalicious/umami.git synced 2024-06-28 16:57:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update api for new teams.

Browse Source
This commit is contained in:
Brian Cao 2024-01-26 11:28:16 -08:00
parent f319ce7915
commit 80883b5ff1
6 changed files with 122 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
src/lib/auth.ts
View File

@ -1,13 +1,13 @@
import { Report } from '@prisma/client';
import debug from 'debug';
import redis from '@umami/redis-client';
import { PERMISSIONS, ROLE_PERMISSIONS, ROLES, SHARE_TOKEN_HEADER } from 'lib/constants';
import debug from 'debug';
import { PERMISSIONS, ROLE_PERMISSIONS, SHARE_TOKEN_HEADER } from 'lib/constants';
import { secret } from 'lib/crypto';
import { NextApiRequest } from 'next';
import { createSecureToken, ensureArray, getRandomChars, parseToken } from 'next-basics';
import { getTeamUser, getWebsiteById } from 'queries';
import { getTeamUser } from 'queries';
import { loadWebsite } from './load';
import { Auth } from './types';
import { NextApiRequest } from 'next';
const log = debug('umami:auth');
const cloudMode = process.env.CLOUD_MODE;
@ -52,9 +52,17 @@ export async function canViewWebsite({ user, shareToken }: Auth, websiteId: stri
const website = await loadWebsite(websiteId);
if (user.id === website?.userId) {
return true;
if (website.userId) {
return user.id === website.userId;
}
if (website.teamId) {
const teamUser = await getTeamUser(website.teamId, user.id);
return !!teamUser;
}
return false;
}
export async function canViewAllWebsites({ user }: Auth) {
@ -80,7 +88,17 @@ export async function canUpdateWebsite({ user }: Auth, websiteId: string) {
const website = await loadWebsite(websiteId);
return user.id === website?.userId;
if (website.userId) {
return user.id === website.userId;
}
if (website.teamId) {
const teamUser = await getTeamUser(website.teamId, user.id);
return teamUser && hasPermission(teamUser.role, PERMISSIONS.websiteUpdate);
}
return false;
}
export async function canDeleteWebsite({ user }: Auth, websiteId: string) {
@ -90,7 +108,17 @@ export async function canDeleteWebsite({ user }: Auth, websiteId: string) {
const website = await loadWebsite(websiteId);
return user.id === website?.userId;
if (website.userId) {
return user.id === website.userId;
}
if (website.teamId) {
const teamUser = await getTeamUser(website.teamId, user.id);
return teamUser && hasPermission(teamUser.role, PERMISSIONS.websiteDelete);
}
return false;
}
export async function canViewReport(auth: Auth, report: Report) {
@ -137,7 +165,11 @@ export async function canViewTeam({ user }: Auth, teamId: string) {
return getTeamUser(teamId, user.id);
}
export async function canUpdateTeam({ user }: Auth, teamId: string) {
export async function canUpdateTeam({ user, grant }: Auth, teamId: string) {
if (cloudMode) {
return !!grant?.find(a => a === PERMISSIONS.teamUpdate);
}
if (user.isAdmin) {
return true;
}
@ -147,6 +179,14 @@ export async function canUpdateTeam({ user }: Auth, teamId: string) {
return teamUser && hasPermission(teamUser.role, PERMISSIONS.teamUpdate);
}
export async function canAddUserToTeam({ user, grant }: Auth) {
if (cloudMode) {
return !!grant?.find(a => a === PERMISSIONS.teamUpdate);
}
return user.isAdmin;
}
export async function canDeleteTeam({ user }: Auth, teamId: string) {
if (user.isAdmin) {
return true;
@ -171,20 +211,14 @@ export async function canDeleteTeamUser({ user }: Auth, teamId: string, removeUs
return teamUser && hasPermission(teamUser.role, PERMISSIONS.teamUpdate);
}
export async function canDeleteTeamWebsite({ user }: Auth, teamId: string, websiteId: string) {
export async function canCreateTeamWebsite({ user }: Auth, teamId: string) {
if (user.isAdmin) {
return true;
}
const teamWebsite = await getWebsiteById(websiteId);
const teamUser = await getTeamUser(teamId, user.id);
if (teamWebsite && teamWebsite.teamId === teamId) {
const teamUser = await getTeamUser(teamId, user.id);
return teamUser.role === ROLES.teamOwner || teamUser.role === ROLES.teamMember;
}
return false;
return teamUser && hasPermission(teamUser.role, PERMISSIONS.websiteCreate);
}
export async function canCreateUser({ user }: Auth) {

15
src/lib/constants.ts
View File

@ -147,8 +147,19 @@ export const ROLE_PERMISSIONS = {
PERMISSIONS.teamCreate,
],
[ROLES.viewOnly]: [],
[ROLES.teamOwner]: [PERMISSIONS.teamUpdate, PERMISSIONS.teamDelete],
[ROLES.teamMember]: [],
[ROLES.teamOwner]: [
PERMISSIONS.teamUpdate,
PERMISSIONS.teamDelete,
PERMISSIONS.websiteCreate,
PERMISSIONS.websiteUpdate,
PERMISSIONS.websiteDelete,
],
[ROLES.teamMember]: [
PERMISSIONS.websiteCreate,
PERMISSIONS.websiteUpdate,
PERMISSIONS.websiteDelete,
],
[ROLES.teamGuest]: [],
} as const;
export const THEME_COLORS = {

38
src/pages/api/teams/[id]/users/[userId].ts
View File

@ -1,38 +0,0 @@
import { canDeleteTeamUser } from 'lib/auth';
import { useAuth, useValidate } from 'lib/middleware';
import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next';
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import { deleteTeamUser } from 'queries';
import * as yup from 'yup';
export interface TeamUserRequestQuery {
id: string;
userId: string;
}
const schema = {
DELETE: yup.object().shape({
id: yup.string().uuid().required(),
userId: yup.string().uuid().required(),
}),
};
export default async (req: NextApiRequestQueryBody<TeamUserRequestQuery>, res: NextApiResponse) => {
await useAuth(req, res);
await useValidate(schema, req, res);
if (req.method === 'DELETE') {
const { id: teamId, userId } = req.query;
if (!(await canDeleteTeamUser(req.auth, teamId, userId))) {
return unauthorized(res, 'You must be the owner of this team.');
}
await deleteTeamUser(teamId, userId);
return ok(res);
}
return methodNotAllowed(res);
};

41
src/pages/api/teams/[id]/users/index.ts
View File

@ -1,21 +1,33 @@
import * as yup from 'yup';
import { canViewTeam } from 'lib/auth';
import { canAddUserToTeam, canViewTeam } from 'lib/auth';
import { useAuth, useValidate } from 'lib/middleware';
import { pageInfo } from 'lib/schema';
import { NextApiRequestQueryBody, SearchFilter } from 'lib/types';
import { NextApiResponse } from 'next';
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import { getUsersByTeamId } from 'queries';
import { pageInfo } from 'lib/schema';
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
import { createTeamUser, getTeamUser, getUsersByTeamId } from 'queries';
import * as yup from 'yup';
export interface TeamUserRequestQuery extends SearchFilter {
id: string;
}
export interface TeamUserRequestBody {
userId: string;
role: string;
}
const schema = {
GET: yup.object().shape({
id: yup.string().uuid().required(),
...pageInfo,
}),
POST: yup.object().shape({
userId: yup.string().uuid().required(),
role: yup
.string()
.matches(/team-member|team-guest/i)
.required(),
}),
};
export default async (
@ -43,5 +55,24 @@ export default async (
return ok(res, users);
}
// admin function only
if (req.method === 'POST') {
if (!(await canAddUserToTeam(req.auth))) {
return unauthorized(res);
}
const { userId, role } = req.body;
const teamUser = await getTeamUser(teamId, userId);
if (teamUser) {
return badRequest(res, 'User is already a member of the Team.');
}
const users = await createTeamUser(userId, teamId, role);
return ok(res, users);
}
return methodNotAllowed(res);
};

41
src/pages/api/teams/[id]/websites/[websiteId].ts
View File

@ -1,41 +0,0 @@
import { canDeleteTeamWebsite } from 'lib/auth';
import { useAuth, useValidate } from 'lib/middleware';
import { NextApiRequestQueryBody } from 'lib/types';
import { NextApiResponse } from 'next';
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import * as yup from 'yup';
import { deleteWebsite } from 'queries/admin/website';
export interface TeamWebsitesRequestQuery {
id: string;
websiteId: string;
}
const schema = {
DELETE: yup.object().shape({
id: yup.string().uuid().required(),
websiteId: yup.string().uuid().required(),
}),
};
export default async (
req: NextApiRequestQueryBody<TeamWebsitesRequestQuery>,
res: NextApiResponse,
) => {
await useAuth(req, res);
await useValidate(schema, req, res);
const { id: teamId, websiteId } = req.query;
if (req.method === 'DELETE') {
if (!(await canDeleteTeamWebsite(req.auth, teamId, websiteId))) {
return unauthorized(res);
}
await deleteWebsite(websiteId);
return ok(res);
}
return methodNotAllowed(res);
};

26
src/pages/api/teams/[id]/websites/index.ts
View File

@ -1,18 +1,21 @@
import * as yup from 'yup';
import { canViewTeam } from 'lib/auth';
import { canCreateTeamWebsite, canViewTeam } from 'lib/auth';
import { useAuth, useValidate } from 'lib/middleware';
import { NextApiRequestQueryBody, SearchFilter } from 'lib/types';
import { pageInfo } from 'lib/schema';
import { NextApiResponse } from 'next';
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
import { getWebsitesByTeamId } from 'queries';
import { createWebsite, getWebsitesByTeamId } from 'queries';
import { uuid } from 'lib/crypto';
export interface TeamWebsiteRequestQuery extends SearchFilter {
id: string;
}
export interface TeamWebsiteRequestBody {
websiteIds?: string[];
name: string;
domain: string;
shareId: string;
}
const schema = {
@ -21,8 +24,9 @@ const schema = {
...pageInfo,
}),
POST: yup.object().shape({
id: yup.string().uuid().required(),
websiteIds: yup.array().of(yup.string()).min(1).required(),
name: yup.string().max(100).required(),
domain: yup.string().max(500).required(),
shareId: yup.string().max(50).nullable(),
}),
};
@ -51,5 +55,17 @@ export default async (
return ok(res, websites);
}
if (req.method === 'POST') {
if (!(await canCreateTeamWebsite(req.auth, teamId))) {
return unauthorized(res);
}
const { name, domain, shareId } = req.body;
const website = await createWebsite({ id: uuid(), name, domain, shareId });
return ok(res, website);
}
return methodNotAllowed(res);
};