Feat/um 114 roles and permissions (#1683)
* Auth checkpoint. * Merge branch 'dev' into feat/um-114-roles-and-permissions
This commit is contained in:
Brian Cao
@@ -1,7 +1,6 @@
|
||||
import { Team } from '@prisma/client';
|
||||
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
|
||||
import { allowQuery } from 'lib/auth';
|
||||
import { UmamiApi } from 'lib/constants';
|
||||
import { canDeleteTeam, canUpdateTeam, canViewTeam } from 'lib/auth';
|
||||
import { useAuth } from 'lib/middleware';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
@@ -21,12 +20,16 @@ export default async (
|
||||
) => {
|
||||
await useAuth(req, res);
|
||||
|
||||
const {
|
||||
user: { id: userId },
|
||||
} = req.auth;
|
||||
const { id: teamId } = req.query;
|
||||
|
||||
if (req.method === 'GET') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.Team))) {
|
||||
if (await canViewTeam(userId, teamId)) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
const user = await getTeam({ id: teamId });
|
||||
|
||||
return ok(res, user);
|
||||
@@ -35,7 +38,7 @@ export default async (
|
||||
if (req.method === 'POST') {
|
||||
const { name } = req.body;
|
||||
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
|
||||
if (await canUpdateTeam(userId, teamId)) {
|
||||
return unauthorized(res, 'You must be the owner of this team.');
|
||||
}
|
||||
|
||||
@@ -45,7 +48,7 @@ export default async (
|
||||
}
|
||||
|
||||
if (req.method === 'DELETE') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
|
||||
if (await canDeleteTeam(userId, teamId)) {
|
||||
return unauthorized(res, 'You must be the owner of this team.');
|
||||
}
|
||||
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
|
||||
import { allowQuery } from 'lib/auth';
|
||||
import { UmamiApi } from 'lib/constants';
|
||||
import { canUpdateTeam, canViewTeam } from 'lib/auth';
|
||||
import { useAuth } from 'lib/middleware';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
@@ -22,10 +21,13 @@ export default async (
|
||||
) => {
|
||||
await useAuth(req, res);
|
||||
|
||||
const {
|
||||
user: { id: userId },
|
||||
} = req.auth;
|
||||
const { id: teamId } = req.query;
|
||||
|
||||
if (req.method === 'GET') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.Team))) {
|
||||
if (await canViewTeam(userId, teamId)) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
@@ -35,7 +37,7 @@ export default async (
|
||||
}
|
||||
|
||||
if (req.method === 'POST') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
|
||||
if (await canUpdateTeam(userId, teamId)) {
|
||||
return unauthorized(res, 'You must be the owner of this team.');
|
||||
}
|
||||
|
||||
@@ -54,7 +56,7 @@ export default async (
|
||||
}
|
||||
|
||||
if (req.method === 'DELETE') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.TeamOwner))) {
|
||||
if (await canUpdateTeam(userId, teamId)) {
|
||||
return unauthorized(res, 'You must be the owner of this team.');
|
||||
}
|
||||
const { team_user_id } = req.body;
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
|
||||
import { allowQuery } from 'lib/auth';
|
||||
import { UmamiApi } from 'lib/constants';
|
||||
import { canViewTeam } from 'lib/auth';
|
||||
import { useAuth } from 'lib/middleware';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
@@ -21,10 +20,13 @@ export default async (
|
||||
) => {
|
||||
await useAuth(req, res);
|
||||
|
||||
const {
|
||||
user: { id: userId },
|
||||
} = req.auth;
|
||||
const { id: teamId } = req.query;
|
||||
|
||||
if (req.method === 'GET') {
|
||||
if (!(await allowQuery(req, UmamiApi.AuthType.Team))) {
|
||||
if (await canViewTeam(userId, teamId)) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
|
||||
@@ -1,9 +1,10 @@
|
||||
import { Team } from '@prisma/client';
|
||||
import { NextApiRequestQueryBody } from 'interface/api/nextApi';
|
||||
import { canCreateTeam } from 'lib/auth';
|
||||
import { uuid } from 'lib/crypto';
|
||||
import { useAuth } from 'lib/middleware';
|
||||
import { NextApiResponse } from 'next';
|
||||
import { badRequest, methodNotAllowed, ok } from 'next-basics';
|
||||
import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
|
||||
import { createTeam, getTeam, getTeamsByUserId } from 'queries';
|
||||
export interface TeamsRequestBody {
|
||||
name: string;
|
||||
@@ -17,16 +18,20 @@ export default async (
|
||||
await useAuth(req, res);
|
||||
|
||||
const {
|
||||
user: { id },
|
||||
user: { id: userId },
|
||||
} = req.auth;
|
||||
|
||||
if (req.method === 'GET') {
|
||||
const teams = await getTeamsByUserId(id);
|
||||
const teams = await getTeamsByUserId(userId);
|
||||
|
||||
return ok(res, teams);
|
||||
}
|
||||
|
||||
if (req.method === 'POST') {
|
||||
if (await canCreateTeam(userId)) {
|
||||
return unauthorized(res);
|
||||
}
|
||||
|
||||
const { name } = req.body;
|
||||
|
||||
const team = await getTeam({ name });
|
||||
@@ -36,7 +41,7 @@ export default async (
|
||||
}
|
||||
|
||||
const created = await createTeam({
|
||||
id: id || uuid(),
|
||||
id: uuid(),
|
||||
name,
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user