Fix isAdmin check. Fix Schema.

db/postgresql/schema.prisma

@@ -18,8 +18,7 @@ model User {
   groupUser GroupUser[]
   userRole  UserRole[]
   teamUser  TeamUser[]
-  Website   Website?    @relation(fields: [websiteId], references: [id])
-  websiteId String?     @db.Uuid
+  Website   Website[]
 
   @@map("user")
 }
@@ -52,8 +51,8 @@ model Website {
   createdAt DateTime? @default(now()) @map("created_at") @db.Timestamptz(6)
   isDeleted Boolean   @default(false) @map("is_deleted")
 
-  team Team[]
-  user User[]
+  team Team? @relation(fields: [teamId], references: [id])
+  user User? @relation(fields: [userId], references: [id])
 
   @@index([createdAt])
   @@index([shareId])
@@ -183,8 +182,7 @@ model Team {
 
   teamUsers TeamUser[]
   UserRole  UserRole[]
-  Website   Website?   @relation(fields: [websiteId], references: [id])
-  websiteId String?    @db.Uuid
+  Website   Website[]
 
   @@map("team")
 }

pages/api/teams/[id]/user.ts

@@ -4,8 +4,8 @@ import { UmamiApi } from 'lib/constants';
 import { uuid } from 'lib/crypto';
 import { useAuth } from 'lib/middleware';
 import { NextApiResponse } from 'next';
-import { methodNotAllowed, ok, unauthorized } from 'next-basics';
-import { createTeamUser, deleteTeamUser, getUsersByTeamId } from 'queries';
+import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
+import { createTeamUser, deleteTeamUser, getUsersByTeamId, getTeamUser } from 'queries';
 
 export interface TeamUserRequestQuery {
   id: string;
@@ -41,6 +41,13 @@ export default async (
 
     const { user_id: userId } = req.body;
 
+    // Check for TeamUser
+    const teamUser = getTeamUser({ userId, teamId });
+
+    if (!teamUser) {
+      return badRequest(res, 'The User already exists on this Team.');
+    }
+
     const updated = await createTeamUser({ id: uuid(), userId, teamId });
 
     return ok(res, updated);
@@ -50,7 +57,6 @@ export default async (
     if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
       return unauthorized(res, 'You must be the owner of this team.');
     }
-
     const { team_user_id } = req.body;
 
     await deleteTeamUser(team_user_id);

pages/api/users/[id]/role.ts

@@ -42,7 +42,6 @@ export default async (
   if (req.method === 'POST') {
     const { roleId, teamId } = req.body;
 
-    // Check when userRolename changes
     const userRole = getUserRole({ userId: id, roleId, teamId });
 
     if (userRole) {
@@ -57,13 +56,6 @@ export default async (
   if (req.method === 'DELETE') {
     const { userRoleId } = req.body;
 
-    // Check when userRolename changes
-    const userRole = getUserRole({ id: userRoleId });
-
-    if (userRole) {
-      return badRequest(res, 'Role already exists for User.');
-    }
-
     const updated = await deleteUserRole(userRoleId);
 
     return ok(res, updated);

pages/api/websites/index.ts

@@ -5,6 +5,8 @@ import { useAuth, useCors } from 'lib/middleware';
 import { NextApiResponse } from 'next';
 import { methodNotAllowed, ok } from 'next-basics';
 import { createWebsite, getAllWebsites, getWebsitesByUserId } from 'queries';
+import { checkPermission } from 'lib/auth';
+import { UmamiApi } from 'lib/constants';
 
 export interface WebsitesRequestQuery {
   include_all?: boolean;
@@ -25,12 +27,14 @@ export default async (
   await useAuth(req, res);
 
   const {
-    user: { id: userId, isAdmin },
+    user: { id: userId },
   } = req.auth;
 
   if (req.method === 'GET') {
     const { include_all } = req.query;
 
+    const isAdmin = await checkPermission(req, UmamiApi.Permission.Admin);
+
     const websites =
       isAdmin && include_all ? await getAllWebsites() : await getWebsitesByUserId(userId);