Fix share URL permissions. (#1745)

* Fix share URL permissions.

* Add sql param logic.

* Add permissions to edit website.

* Update permissions.

* Move parameters to param injection.

* Sanitize eventdata.

* Remove caret.

* Fix avg.

lib/auth.js

@@ -35,7 +35,7 @@ export function isValidToken(token, validation) {
   return false;
 }
 
-export async function allowQuery(req, type) {
+export async function allowQuery(req, type, allowShareToken = true) {
   const { id } = req.query;
 
   const { userId, isAdmin, shareToken } = req.auth ?? {};
@@ -44,7 +44,7 @@ export async function allowQuery(req, type) {
     return true;
   }
 
-  if (shareToken) {
+  if (allowShareToken && shareToken) {
     return isValidToken(shareToken, { id });
   }