Update security for dashboard and details pages.

This commit is contained in:
Mike Cao 2020-09-17 11:40:04 -07:00
parent ecd2593063
commit bff8806b61
7 changed files with 40 additions and 40 deletions

View File

@ -30,9 +30,9 @@ const views = {
event: EventsTable,
};
export default function WebsiteDetails({ websiteId }) {
export default function WebsiteDetails({ websiteId, shareId }) {
const router = useRouter();
const { data } = useFetch(`/api/website/${websiteId}`);
const { data } = useFetch(`/api/website/${websiteId}`, { share_id: shareId });
const [chartLoaded, setChartLoaded] = useState(false);
const [countryData, setCountryData] = useState();
const [eventsData, setEventsData] = useState();

View File

@ -11,7 +11,7 @@ import styles from './WebsiteList.module.css';
export default function WebsiteList({ userId }) {
const router = useRouter();
const { data } = useFetch('/api/websites', { userId });
const { data } = useFetch('/api/websites', { user_id: userId });
if (!data) {
return null;

View File

@ -1,6 +1,6 @@
{
"name": "umami",
"version": "0.36.0",
"version": "0.37.0",
"description": "A simple, fast, website analytics alternative to Google Analytics. ",
"author": "Mike Cao <mike@mikecao.com>",
"license": "MIT",

View File

@ -1,31 +0,0 @@
import { deleteWebsite, getWebsiteById } from 'lib/queries';
import { useAuth } from 'lib/middleware';
import { methodNotAllowed, ok, unauthorized } from 'lib/response';
export default async (req, res) => {
const { id } = req.query;
const website_id = +id;
if (req.method === 'GET') {
const website = await getWebsiteById(website_id);
return ok(res, website);
}
if (req.method === 'DELETE') {
await useAuth(req, res);
const { user_id, is_admin } = req.auth;
const website = await getWebsiteById(website_id);
if (website.user_id === user_id || is_admin) {
await deleteWebsite(website_id);
return ok(res);
}
return unauthorized(res);
}
return methodNotAllowed(res);
};

View File

@ -0,0 +1,31 @@
import { deleteWebsite, getWebsiteById } from 'lib/queries';
import { useAuth } from 'lib/middleware';
import { methodNotAllowed, ok, unauthorized } from 'lib/response';
export default async (req, res) => {
await useAuth(req, res);
const { user_id, is_admin } = req.auth;
const { id, share_id } = req.query;
const websiteId = +id;
const website = await getWebsiteById(websiteId);
if (req.method === 'GET') {
if (is_admin || website.user_id === user_id || (share_id && website.share_id === share_id)) {
return ok(res, website);
}
return unauthorized(res);
}
if (req.method === 'DELETE') {
if (is_admin || website.user_id === user_id) {
await deleteWebsite(websiteId);
return ok(res);
}
return unauthorized(res);
}
return methodNotAllowed(res);
};

View File

@ -5,15 +5,15 @@ import { ok, methodNotAllowed, unauthorized } from 'lib/response';
export default async (req, res) => {
await useAuth(req, res);
const { user_id, is_admin } = req.auth;
const { userId } = req.query;
const { user_id: current_user_id, is_admin } = req.auth;
const { user_id } = req.query;
if (req.method === 'GET') {
if (userId && !is_admin) {
if (user_id && !is_admin) {
return unauthorized(res);
}
const websites = await getUserWebsites(+userId || user_id);
const websites = await getUserWebsites(+user_id || current_user_id);
return ok(res, websites);
}

View File

@ -16,7 +16,7 @@ export default function SharePage() {
return (
<Layout>
<WebsiteDetails websiteId={data.website_id} />
<WebsiteDetails websiteId={data.website_id} shareId={shareId} />
</Layout>
);
}