From bff8806b6190e8fb21ad17700b3a4146905f7442 Mon Sep 17 00:00:00 2001
From: Mike Cao <mike@mikecao.com>
Date: Thu, 17 Sep 2020 11:40:04 -0700
Subject: [PATCH] Update security for dashboard and details pages.

---
 components/WebsiteDetails.js    |  4 ++--
 components/WebsiteList.js       |  2 +-
 package.json                    |  2 +-
 pages/api/website/[id].js       | 31 -------------------------------
 pages/api/website/[id]/index.js | 31 +++++++++++++++++++++++++++++++
 pages/api/websites.js           |  8 ++++----
 pages/share/[...id].js          |  2 +-
 7 files changed, 40 insertions(+), 40 deletions(-)
 delete mode 100644 pages/api/website/[id].js
 create mode 100644 pages/api/website/[id]/index.js

diff --git a/components/WebsiteDetails.js b/components/WebsiteDetails.js
index df8302e0..520c339f 100644
--- a/components/WebsiteDetails.js
+++ b/components/WebsiteDetails.js
@@ -30,9 +30,9 @@ const views = {
   event: EventsTable,
 };
 
-export default function WebsiteDetails({ websiteId }) {
+export default function WebsiteDetails({ websiteId, shareId }) {
   const router = useRouter();
-  const { data } = useFetch(`/api/website/${websiteId}`);
+  const { data } = useFetch(`/api/website/${websiteId}`, { share_id: shareId });
   const [chartLoaded, setChartLoaded] = useState(false);
   const [countryData, setCountryData] = useState();
   const [eventsData, setEventsData] = useState();
diff --git a/components/WebsiteList.js b/components/WebsiteList.js
index e66fde58..b1819748 100644
--- a/components/WebsiteList.js
+++ b/components/WebsiteList.js
@@ -11,7 +11,7 @@ import styles from './WebsiteList.module.css';
 
 export default function WebsiteList({ userId }) {
   const router = useRouter();
-  const { data } = useFetch('/api/websites', { userId });
+  const { data } = useFetch('/api/websites', { user_id: userId });
 
   if (!data) {
     return null;
diff --git a/package.json b/package.json
index 65726297..15de064c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "umami",
-  "version": "0.36.0",
+  "version": "0.37.0",
   "description": "A simple, fast, website analytics alternative to Google Analytics. ",
   "author": "Mike Cao <mike@mikecao.com>",
   "license": "MIT",
diff --git a/pages/api/website/[id].js b/pages/api/website/[id].js
deleted file mode 100644
index 40e9995f..00000000
--- a/pages/api/website/[id].js
+++ /dev/null
@@ -1,31 +0,0 @@
-import { deleteWebsite, getWebsiteById } from 'lib/queries';
-import { useAuth } from 'lib/middleware';
-import { methodNotAllowed, ok, unauthorized } from 'lib/response';
-
-export default async (req, res) => {
-  const { id } = req.query;
-  const website_id = +id;
-
-  if (req.method === 'GET') {
-    const website = await getWebsiteById(website_id);
-
-    return ok(res, website);
-  }
-
-  if (req.method === 'DELETE') {
-    await useAuth(req, res);
-    const { user_id, is_admin } = req.auth;
-
-    const website = await getWebsiteById(website_id);
-
-    if (website.user_id === user_id || is_admin) {
-      await deleteWebsite(website_id);
-
-      return ok(res);
-    }
-
-    return unauthorized(res);
-  }
-
-  return methodNotAllowed(res);
-};
diff --git a/pages/api/website/[id]/index.js b/pages/api/website/[id]/index.js
new file mode 100644
index 00000000..efbcb2d5
--- /dev/null
+++ b/pages/api/website/[id]/index.js
@@ -0,0 +1,31 @@
+import { deleteWebsite, getWebsiteById } from 'lib/queries';
+import { useAuth } from 'lib/middleware';
+import { methodNotAllowed, ok, unauthorized } from 'lib/response';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { user_id, is_admin } = req.auth;
+  const { id, share_id } = req.query;
+  const websiteId = +id;
+
+  const website = await getWebsiteById(websiteId);
+
+  if (req.method === 'GET') {
+    if (is_admin || website.user_id === user_id || (share_id && website.share_id === share_id)) {
+      return ok(res, website);
+    }
+    return unauthorized(res);
+  }
+
+  if (req.method === 'DELETE') {
+    if (is_admin || website.user_id === user_id) {
+      await deleteWebsite(websiteId);
+
+      return ok(res);
+    }
+    return unauthorized(res);
+  }
+
+  return methodNotAllowed(res);
+};
diff --git a/pages/api/websites.js b/pages/api/websites.js
index b4633950..894226be 100644
--- a/pages/api/websites.js
+++ b/pages/api/websites.js
@@ -5,15 +5,15 @@ import { ok, methodNotAllowed, unauthorized } from 'lib/response';
 export default async (req, res) => {
   await useAuth(req, res);
 
-  const { user_id, is_admin } = req.auth;
-  const { userId } = req.query;
+  const { user_id: current_user_id, is_admin } = req.auth;
+  const { user_id } = req.query;
 
   if (req.method === 'GET') {
-    if (userId && !is_admin) {
+    if (user_id && !is_admin) {
       return unauthorized(res);
     }
 
-    const websites = await getUserWebsites(+userId || user_id);
+    const websites = await getUserWebsites(+user_id || current_user_id);
 
     return ok(res, websites);
   }
diff --git a/pages/share/[...id].js b/pages/share/[...id].js
index 1e0897a9..81e57c92 100644
--- a/pages/share/[...id].js
+++ b/pages/share/[...id].js
@@ -16,7 +16,7 @@ export default function SharePage() {
 
   return (
     <Layout>
-      <WebsiteDetails websiteId={data.website_id} />
+      <WebsiteDetails websiteId={data.website_id} shareId={shareId} />
     </Layout>
   );
 }