mirror of
https://github.com/kremalicious/umami.git
synced 2024-11-23 02:10:11 +01:00
Update security for dashboard and details pages.
This commit is contained in:
parent
ecd2593063
commit
bff8806b61
@ -30,9 +30,9 @@ const views = {
|
|||||||
event: EventsTable,
|
event: EventsTable,
|
||||||
};
|
};
|
||||||
|
|
||||||
export default function WebsiteDetails({ websiteId }) {
|
export default function WebsiteDetails({ websiteId, shareId }) {
|
||||||
const router = useRouter();
|
const router = useRouter();
|
||||||
const { data } = useFetch(`/api/website/${websiteId}`);
|
const { data } = useFetch(`/api/website/${websiteId}`, { share_id: shareId });
|
||||||
const [chartLoaded, setChartLoaded] = useState(false);
|
const [chartLoaded, setChartLoaded] = useState(false);
|
||||||
const [countryData, setCountryData] = useState();
|
const [countryData, setCountryData] = useState();
|
||||||
const [eventsData, setEventsData] = useState();
|
const [eventsData, setEventsData] = useState();
|
||||||
|
@ -11,7 +11,7 @@ import styles from './WebsiteList.module.css';
|
|||||||
|
|
||||||
export default function WebsiteList({ userId }) {
|
export default function WebsiteList({ userId }) {
|
||||||
const router = useRouter();
|
const router = useRouter();
|
||||||
const { data } = useFetch('/api/websites', { userId });
|
const { data } = useFetch('/api/websites', { user_id: userId });
|
||||||
|
|
||||||
if (!data) {
|
if (!data) {
|
||||||
return null;
|
return null;
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "umami",
|
"name": "umami",
|
||||||
"version": "0.36.0",
|
"version": "0.37.0",
|
||||||
"description": "A simple, fast, website analytics alternative to Google Analytics. ",
|
"description": "A simple, fast, website analytics alternative to Google Analytics. ",
|
||||||
"author": "Mike Cao <mike@mikecao.com>",
|
"author": "Mike Cao <mike@mikecao.com>",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
|
@ -1,31 +0,0 @@
|
|||||||
import { deleteWebsite, getWebsiteById } from 'lib/queries';
|
|
||||||
import { useAuth } from 'lib/middleware';
|
|
||||||
import { methodNotAllowed, ok, unauthorized } from 'lib/response';
|
|
||||||
|
|
||||||
export default async (req, res) => {
|
|
||||||
const { id } = req.query;
|
|
||||||
const website_id = +id;
|
|
||||||
|
|
||||||
if (req.method === 'GET') {
|
|
||||||
const website = await getWebsiteById(website_id);
|
|
||||||
|
|
||||||
return ok(res, website);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (req.method === 'DELETE') {
|
|
||||||
await useAuth(req, res);
|
|
||||||
const { user_id, is_admin } = req.auth;
|
|
||||||
|
|
||||||
const website = await getWebsiteById(website_id);
|
|
||||||
|
|
||||||
if (website.user_id === user_id || is_admin) {
|
|
||||||
await deleteWebsite(website_id);
|
|
||||||
|
|
||||||
return ok(res);
|
|
||||||
}
|
|
||||||
|
|
||||||
return unauthorized(res);
|
|
||||||
}
|
|
||||||
|
|
||||||
return methodNotAllowed(res);
|
|
||||||
};
|
|
31
pages/api/website/[id]/index.js
Normal file
31
pages/api/website/[id]/index.js
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
import { deleteWebsite, getWebsiteById } from 'lib/queries';
|
||||||
|
import { useAuth } from 'lib/middleware';
|
||||||
|
import { methodNotAllowed, ok, unauthorized } from 'lib/response';
|
||||||
|
|
||||||
|
export default async (req, res) => {
|
||||||
|
await useAuth(req, res);
|
||||||
|
|
||||||
|
const { user_id, is_admin } = req.auth;
|
||||||
|
const { id, share_id } = req.query;
|
||||||
|
const websiteId = +id;
|
||||||
|
|
||||||
|
const website = await getWebsiteById(websiteId);
|
||||||
|
|
||||||
|
if (req.method === 'GET') {
|
||||||
|
if (is_admin || website.user_id === user_id || (share_id && website.share_id === share_id)) {
|
||||||
|
return ok(res, website);
|
||||||
|
}
|
||||||
|
return unauthorized(res);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (req.method === 'DELETE') {
|
||||||
|
if (is_admin || website.user_id === user_id) {
|
||||||
|
await deleteWebsite(websiteId);
|
||||||
|
|
||||||
|
return ok(res);
|
||||||
|
}
|
||||||
|
return unauthorized(res);
|
||||||
|
}
|
||||||
|
|
||||||
|
return methodNotAllowed(res);
|
||||||
|
};
|
@ -5,15 +5,15 @@ import { ok, methodNotAllowed, unauthorized } from 'lib/response';
|
|||||||
export default async (req, res) => {
|
export default async (req, res) => {
|
||||||
await useAuth(req, res);
|
await useAuth(req, res);
|
||||||
|
|
||||||
const { user_id, is_admin } = req.auth;
|
const { user_id: current_user_id, is_admin } = req.auth;
|
||||||
const { userId } = req.query;
|
const { user_id } = req.query;
|
||||||
|
|
||||||
if (req.method === 'GET') {
|
if (req.method === 'GET') {
|
||||||
if (userId && !is_admin) {
|
if (user_id && !is_admin) {
|
||||||
return unauthorized(res);
|
return unauthorized(res);
|
||||||
}
|
}
|
||||||
|
|
||||||
const websites = await getUserWebsites(+userId || user_id);
|
const websites = await getUserWebsites(+user_id || current_user_id);
|
||||||
|
|
||||||
return ok(res, websites);
|
return ok(res, websites);
|
||||||
}
|
}
|
||||||
|
@ -16,7 +16,7 @@ export default function SharePage() {
|
|||||||
|
|
||||||
return (
|
return (
|
||||||
<Layout>
|
<Layout>
|
||||||
<WebsiteDetails websiteId={data.website_id} />
|
<WebsiteDetails websiteId={data.website_id} shareId={shareId} />
|
||||||
</Layout>
|
</Layout>
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user