mirror of
https://github.com/kremalicious/umami.git
synced 2025-02-01 12:29:35 +01:00
Update api for new teams.
This commit is contained in:
parent
f319ce7915
commit
80883b5ff1
@ -1,13 +1,13 @@
|
||||
import { Report } from '@prisma/client';
|
||||
import debug from 'debug';
|
||||
import redis from '@umami/redis-client';
|
||||
import { PERMISSIONS, ROLE_PERMISSIONS, ROLES, SHARE_TOKEN_HEADER } from 'lib/constants';
|
||||
import debug from 'debug';
|
||||
import { PERMISSIONS, ROLE_PERMISSIONS, SHARE_TOKEN_HEADER } from 'lib/constants';
|
||||
import { secret } from 'lib/crypto';
|
||||
import { NextApiRequest } from 'next';
|
||||
import { createSecureToken, ensureArray, getRandomChars, parseToken } from 'next-basics';
|
||||
import { getTeamUser, getWebsiteById } from 'queries';
|
||||
import { getTeamUser } from 'queries';
|
||||
import { loadWebsite } from './load';
|
||||
import { Auth } from './types';
|
||||
import { NextApiRequest } from 'next';
|
||||
|
||||
const log = debug('umami:auth');
|
||||
const cloudMode = process.env.CLOUD_MODE;
|
||||
@ -52,9 +52,17 @@ export async function canViewWebsite({ user, shareToken }: Auth, websiteId: stri
|
||||
|
||||
const website = await loadWebsite(websiteId);
|
||||
|
||||
if (user.id === website?.userId) {
|
||||
return true;
|
||||
if (website.userId) {
|
||||
return user.id === website.userId;
|
||||
}
|
||||
|
||||
if (website.teamId) {
|
||||
const teamUser = await getTeamUser(website.teamId, user.id);
|
||||
|
||||
return !!teamUser;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
export async function canViewAllWebsites({ user }: Auth) {
|
||||
@ -80,7 +88,17 @@ export async function canUpdateWebsite({ user }: Auth, websiteId: string) {
|
||||
|
||||
const website = await loadWebsite(websiteId);
|
||||
|
||||
return user.id === website?.userId;
|
||||
if (website.userId) {
|
||||
return user.id === website.userId;
|
||||
}
|
||||
|
||||
if (website.teamId) {
|
||||
const teamUser = await getTeamUser(website.teamId, user.id);
|
||||
|
||||
return teamUser && hasPermission(teamUser.role, PERMISSIONS.websiteUpdate);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
export async function canDeleteWebsite({ user }: Auth, websiteId: string) {
|
||||
@ -90,7 +108,17 @@ export async function canDeleteWebsite({ user }: Auth, websiteId: string) {
|
||||
|
||||
const website = await loadWebsite(websiteId);
|
||||
|
||||
return user.id === website?.userId;
|
||||
if (website.userId) {
|
||||
return user.id === website.userId;
|
||||
}
|
||||
|
||||
if (website.teamId) {
|
||||
const teamUser = await getTeamUser(website.teamId, user.id);
|
||||
|
||||
return teamUser && hasPermission(teamUser.role, PERMISSIONS.websiteDelete);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
export async function canViewReport(auth: Auth, report: Report) {
|
||||
@ -137,7 +165,11 @@ export async function canViewTeam({ user }: Auth, teamId: string) {
|
||||
return getTeamUser(teamId, user.id);
|
||||
}
|
||||
|
||||
export async function canUpdateTeam({ user }: Auth, teamId: string) {
|
||||
export async function canUpdateTeam({ user, grant }: Auth, teamId: string) {
|
||||
if (cloudMode) {
|
||||
return !!grant?.find(a => a === PERMISSIONS.teamUpdate);
|
||||
}
|
||||
|
||||
if (user.isAdmin) {
|
||||
return true;
|
||||
}
|
||||
@ -147,6 +179,14 @@ export async function canUpdateTeam({ user }: Auth, teamId: string) {
|
||||
return teamUser && hasPermission(teamUser.role, PERMISSIONS.teamUpdate);
|
||||
}
|
||||
|
||||
export async function canAddUserToTeam({ user, grant }: Auth) {
|
||||
if (cloudMode) {
|
||||
return !!grant?.find(a => a === PERMISSIONS.teamUpdate);
|
||||
}
|
||||
|
||||
return user.isAdmin;
|
||||
}
|
||||
|
||||
export async function canDeleteTeam({ user }: Auth, teamId: string) {
|
||||
if (user.isAdmin) {
|
||||
return true;
|
||||
@ -171,20 +211,14 @@ export async function canDeleteTeamUser({ user }: Auth, teamId: string, removeUs
|
||||
return teamUser && hasPermission(teamUser.role, PERMISSIONS.teamUpdate);
|
||||
}
|
||||
|
||||
export async function canDeleteTeamWebsite({ user }: Auth, teamId: string, websiteId: string) {
|
||||
export async function canCreateTeamWebsite({ user }: Auth, teamId: string) {
|
||||
if (user.isAdmin) {
|
||||
return true;
|
||||
}
|
||||
|
||||
const teamWebsite = await getWebsiteById(websiteId);
|
||||
const teamUser = await getTeamUser(teamId, user.id);
|
||||
|
||||
if (teamWebsite && teamWebsite.teamId === teamId) {
|
||||
const teamUser = await getTeamUser(teamId, user.id);
|
||||
|
||||
return teamUser.role === ROLES.teamOwner || teamUser.role === ROLES.teamMember;
|
||||
}
|
||||
|
||||
return false;
|
||||
return teamUser && hasPermission(teamUser.role, PERMISSIONS.websiteCreate);
|
||||
}
|
||||
|
||||
export async function canCreateUser({ user }: Auth) {
|
||||
|
@ -147,8 +147,19 @@ export const ROLE_PERMISSIONS = {
|
||||
PERMISSIONS.teamCreate,
|
||||
],
|
||||
[ROLES.viewOnly]: [],
|
||||
[ROLES.teamOwner]: [PERMISSIONS.teamUpdate, PERMISSIONS.teamDelete],
|
||||
[ROLES.teamMember]: [],
|
||||
[ROLES.teamOwner]: [
|
||||
PERMISSIONS.teamUpdate,
|
||||
PERMISSIONS.teamDelete,
|
||||
PERMISSIONS.websiteCreate,
|
||||
PERMISSIONS.websiteUpdate,
|
||||
PERMISSIONS.websiteDelete,
|
||||
],
|
||||
[ROLES.teamMember]: [
|
||||
PERMISSIONS.websiteCreate,
|
||||
PERMISSIONS.websiteUpdate,
|
||||
PERMISSIONS.websiteDelete,
|
||||
],
|
||||
[ROLES.teamGuest]: [],
|
||||
} as const;
|
||||
|
||||
export const THEME_COLORS = {
|
||||
|
@ -1,38 +0,0 @@
|
||||
import { canDeleteTeamUser } from 'lib/auth';
|
||||
import { useAuth, useValidate } from 'lib/middleware';
|
||||
import { NextApiRequestQueryBody } from 'lib/types';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
import { deleteTeamUser } from 'queries';
|
||||
import * as yup from 'yup';
|
||||
|
||||
export interface TeamUserRequestQuery {
|
||||
id: string;
|
||||
userId: string;
|
||||
}
|
||||
|
||||
const schema = {
|
||||
DELETE: yup.object().shape({
|
||||
id: yup.string().uuid().required(),
|
||||
userId: yup.string().uuid().required(),
|
||||
}),
|
||||
};
|
||||
|
||||
export default async (req: NextApiRequestQueryBody<TeamUserRequestQuery>, res: NextApiResponse) => {
|
||||
await useAuth(req, res);
|
||||
await useValidate(schema, req, res);
|
||||
|
||||
if (req.method === 'DELETE') {
|
||||
const { id: teamId, userId } = req.query;
|
||||
|
||||
if (!(await canDeleteTeamUser(req.auth, teamId, userId))) {
|
||||
return unauthorized(res, 'You must be the owner of this team.');
|
||||
}
|
||||
|
||||
await deleteTeamUser(teamId, userId);
|
||||
|
||||
return ok(res);
|
||||
}
|
||||
|
||||
return methodNotAllowed(res);
|
||||
};
|
@ -1,21 +1,33 @@
|
||||
import * as yup from 'yup';
|
||||
import { canViewTeam } from 'lib/auth';
|
||||
import { canAddUserToTeam, canViewTeam } from 'lib/auth';
|
||||
import { useAuth, useValidate } from 'lib/middleware';
|
||||
import { pageInfo } from 'lib/schema';
|
||||
import { NextApiRequestQueryBody, SearchFilter } from 'lib/types';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
import { getUsersByTeamId } from 'queries';
|
||||
import { pageInfo } from 'lib/schema';
|
||||
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
import { createTeamUser, getTeamUser, getUsersByTeamId } from 'queries';
|
||||
import * as yup from 'yup';
|
||||
|
||||
export interface TeamUserRequestQuery extends SearchFilter {
|
||||
id: string;
|
||||
}
|
||||
|
||||
export interface TeamUserRequestBody {
|
||||
userId: string;
|
||||
role: string;
|
||||
}
|
||||
|
||||
const schema = {
|
||||
GET: yup.object().shape({
|
||||
id: yup.string().uuid().required(),
|
||||
...pageInfo,
|
||||
}),
|
||||
POST: yup.object().shape({
|
||||
userId: yup.string().uuid().required(),
|
||||
role: yup
|
||||
.string()
|
||||
.matches(/team-member|team-guest/i)
|
||||
.required(),
|
||||
}),
|
||||
};
|
||||
|
||||
export default async (
|
||||
@ -43,5 +55,24 @@ export default async (
|
||||
return ok(res, users);
|
||||
}
|
||||
|
||||
// admin function only
|
||||
if (req.method === 'POST') {
|
||||
if (!(await canAddUserToTeam(req.auth))) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
const { userId, role } = req.body;
|
||||
|
||||
const teamUser = await getTeamUser(teamId, userId);
|
||||
|
||||
if (teamUser) {
|
||||
return badRequest(res, 'User is already a member of the Team.');
|
||||
}
|
||||
|
||||
const users = await createTeamUser(userId, teamId, role);
|
||||
|
||||
return ok(res, users);
|
||||
}
|
||||
|
||||
return methodNotAllowed(res);
|
||||
};
|
||||
|
@ -1,41 +0,0 @@
|
||||
import { canDeleteTeamWebsite } from 'lib/auth';
|
||||
import { useAuth, useValidate } from 'lib/middleware';
|
||||
import { NextApiRequestQueryBody } from 'lib/types';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
import * as yup from 'yup';
|
||||
import { deleteWebsite } from 'queries/admin/website';
|
||||
|
||||
export interface TeamWebsitesRequestQuery {
|
||||
id: string;
|
||||
websiteId: string;
|
||||
}
|
||||
|
||||
const schema = {
|
||||
DELETE: yup.object().shape({
|
||||
id: yup.string().uuid().required(),
|
||||
websiteId: yup.string().uuid().required(),
|
||||
}),
|
||||
};
|
||||
|
||||
export default async (
|
||||
req: NextApiRequestQueryBody<TeamWebsitesRequestQuery>,
|
||||
res: NextApiResponse,
|
||||
) => {
|
||||
await useAuth(req, res);
|
||||
await useValidate(schema, req, res);
|
||||
|
||||
const { id: teamId, websiteId } = req.query;
|
||||
|
||||
if (req.method === 'DELETE') {
|
||||
if (!(await canDeleteTeamWebsite(req.auth, teamId, websiteId))) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
await deleteWebsite(websiteId);
|
||||
|
||||
return ok(res);
|
||||
}
|
||||
|
||||
return methodNotAllowed(res);
|
||||
};
|
@ -1,18 +1,21 @@
|
||||
import * as yup from 'yup';
|
||||
import { canViewTeam } from 'lib/auth';
|
||||
import { canCreateTeamWebsite, canViewTeam } from 'lib/auth';
|
||||
import { useAuth, useValidate } from 'lib/middleware';
|
||||
import { NextApiRequestQueryBody, SearchFilter } from 'lib/types';
|
||||
import { pageInfo } from 'lib/schema';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
import { getWebsitesByTeamId } from 'queries';
|
||||
import { createWebsite, getWebsitesByTeamId } from 'queries';
|
||||
import { uuid } from 'lib/crypto';
|
||||
|
||||
export interface TeamWebsiteRequestQuery extends SearchFilter {
|
||||
id: string;
|
||||
}
|
||||
|
||||
export interface TeamWebsiteRequestBody {
|
||||
websiteIds?: string[];
|
||||
name: string;
|
||||
domain: string;
|
||||
shareId: string;
|
||||
}
|
||||
|
||||
const schema = {
|
||||
@ -21,8 +24,9 @@ const schema = {
|
||||
...pageInfo,
|
||||
}),
|
||||
POST: yup.object().shape({
|
||||
id: yup.string().uuid().required(),
|
||||
websiteIds: yup.array().of(yup.string()).min(1).required(),
|
||||
name: yup.string().max(100).required(),
|
||||
domain: yup.string().max(500).required(),
|
||||
shareId: yup.string().max(50).nullable(),
|
||||
}),
|
||||
};
|
||||
|
||||
@ -51,5 +55,17 @@ export default async (
|
||||
return ok(res, websites);
|
||||
}
|
||||
|
||||
if (req.method === 'POST') {
|
||||
if (!(await canCreateTeamWebsite(req.auth, teamId))) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
const { name, domain, shareId } = req.body;
|
||||
|
||||
const website = await createWebsite({ id: uuid(), name, domain, shareId });
|
||||
|
||||
return ok(res, website);
|
||||
}
|
||||
|
||||
return methodNotAllowed(res);
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user