Update security for dashboard and details pages.

components/WebsiteDetails.js

@@ -30,9 +30,9 @@ const views = {
   event: EventsTable,
 };
 
-export default function WebsiteDetails({ websiteId }) {
+export default function WebsiteDetails({ websiteId, shareId }) {
   const router = useRouter();
-  const { data } = useFetch(`/api/website/${websiteId}`);
+  const { data } = useFetch(`/api/website/${websiteId}`, { share_id: shareId });
   const [chartLoaded, setChartLoaded] = useState(false);
   const [countryData, setCountryData] = useState();
   const [eventsData, setEventsData] = useState();

components/WebsiteList.js

@@ -11,7 +11,7 @@ import styles from './WebsiteList.module.css';
 
 export default function WebsiteList({ userId }) {
   const router = useRouter();
-  const { data } = useFetch('/api/websites', { userId });
+  const { data } = useFetch('/api/websites', { user_id: userId });
 
   if (!data) {
     return null;

package.json

@@ -1,6 +1,6 @@
 {
   "name": "umami",
-  "version": "0.36.0",
+  "version": "0.37.0",
   "description": "A simple, fast, website analytics alternative to Google Analytics. ",
   "author": "Mike Cao <mike@mikecao.com>",
   "license": "MIT",

pages/api/website/[id].js

@@ -1,31 +0,0 @@
-import { deleteWebsite, getWebsiteById } from 'lib/queries';
-import { useAuth } from 'lib/middleware';
-import { methodNotAllowed, ok, unauthorized } from 'lib/response';
-
-export default async (req, res) => {
-  const { id } = req.query;
-  const website_id = +id;
-
-  if (req.method === 'GET') {
-    const website = await getWebsiteById(website_id);
-
-    return ok(res, website);
-  }
-
-  if (req.method === 'DELETE') {
-    await useAuth(req, res);
-    const { user_id, is_admin } = req.auth;
-
-    const website = await getWebsiteById(website_id);
-
-    if (website.user_id === user_id || is_admin) {
-      await deleteWebsite(website_id);
-
-      return ok(res);
-    }
-
-    return unauthorized(res);
-  }
-
-  return methodNotAllowed(res);
-};

pages/api/website/[id]/index.js

@@ -0,0 +1,31 @@
+import { deleteWebsite, getWebsiteById } from 'lib/queries';
+import { useAuth } from 'lib/middleware';
+import { methodNotAllowed, ok, unauthorized } from 'lib/response';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { user_id, is_admin } = req.auth;
+  const { id, share_id } = req.query;
+  const websiteId = +id;
+
+  const website = await getWebsiteById(websiteId);
+
+  if (req.method === 'GET') {
+    if (is_admin || website.user_id === user_id || (share_id && website.share_id === share_id)) {
+      return ok(res, website);
+    }
+    return unauthorized(res);
+  }
+
+  if (req.method === 'DELETE') {
+    if (is_admin || website.user_id === user_id) {
+      await deleteWebsite(websiteId);
+
+      return ok(res);
+    }
+    return unauthorized(res);
+  }
+
+  return methodNotAllowed(res);
+};

pages/api/websites.js

@@ -5,15 +5,15 @@ import { ok, methodNotAllowed, unauthorized } from 'lib/response';
 export default async (req, res) => {
   await useAuth(req, res);
 
-  const { user_id, is_admin } = req.auth;
-  const { userId } = req.query;
+  const { user_id: current_user_id, is_admin } = req.auth;
+  const { user_id } = req.query;
 
   if (req.method === 'GET') {
-    if (userId && !is_admin) {
+    if (user_id && !is_admin) {
       return unauthorized(res);
     }
 
-    const websites = await getUserWebsites(+userId || user_id);
+    const websites = await getUserWebsites(+user_id || current_user_id);
 
     return ok(res, websites);
   }

pages/share/[...id].js

@@ -16,7 +16,7 @@ export default function SharePage() {
 
   return (
     <Layout>
-      <WebsiteDetails websiteId={data.website_id} />
+      <WebsiteDetails websiteId={data.website_id} shareId={shareId} />
     </Layout>
   );
 }