Fix share URL permissions. (#1745)

* Fix share URL permissions. * Add sql param logic. * Add permissions to edit website. * Update permissions. * Move parameters to param injection. * Sanitize eventdata. * Remove caret. * Fix avg.
2023-01-18 15:09:49 -08:00
parent 558ce268a0
commit 922c3acab3
16 changed files with 139 additions and 79 deletions
--- a/pages/api/accounts/[id]/password.js
+++ b/pages/api/accounts/[id]/password.js
@@ -17,7 +17,7 @@ export default async (req, res) => {
  const { current_password, new_password } = req.body;
  const { id: accountUuid } = req.query;

-  if (!(await allowQuery(req, TYPE_ACCOUNT))) {
+  if (!(await allowQuery(req, TYPE_ACCOUNT, false))) {
    return unauthorized(res);
  }

--- a/pages/api/realtime/init.js
+++ b/pages/api/realtime/init.js
@@ -1,5 +1,5 @@
 import { subMinutes } from 'date-fns';
-import { ok, methodNotAllowed, createToken } from 'next-basics';
+import { ok, unauthorized, methodNotAllowed, createToken } from 'next-basics';
 import { useAuth } from 'lib/middleware';
 import { getUserWebsites, getRealtimeData } from 'queries';
 import { secret } from 'lib/crypto';
@@ -10,6 +10,10 @@ export default async (req, res) => {
  if (req.method === 'GET') {
    const { userId } = req.auth;

+    if (!userId) {
+      return unauthorized(res);
+    }
+
    const websites = await getUserWebsites({ userId });
    const ids = websites.map(({ websiteUuid }) => websiteUuid);
    const token = createToken({ websites: ids }, secret());
--- a/pages/api/websites/[id]/index.js
+++ b/pages/api/websites/[id]/index.js
@@ -10,17 +10,21 @@ export default async (req, res) => {

  const { id: websiteUuid } = req.query;

-  if (!(await allowQuery(req, TYPE_WEBSITE))) {
-    return unauthorized(res);
-  }
-
  if (req.method === 'GET') {
+    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+      return unauthorized(res);
+    }
+
    const website = await getWebsite({ websiteUuid });

    return ok(res, website);
  }

  if (req.method === 'POST') {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
+      return unauthorized(res);
+    }
+
    const { name, domain, owner, enableShareUrl, shareId } = req.body;
    const { accountUuid } = req.auth;

@@ -58,7 +62,7 @@ export default async (req, res) => {
  }

  if (req.method === 'DELETE') {
-    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
      return unauthorized(res);
    }

--- a/pages/api/websites/[id]/reset.js
+++ b/pages/api/websites/[id]/reset.js
@@ -11,7 +11,7 @@ export default async (req, res) => {
  const { id: websiteId } = req.query;

  if (req.method === 'POST') {
-    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
      return unauthorized(res);
    }

--- a/pages/api/websites/index.js
+++ b/pages/api/websites/index.js
@@ -7,6 +7,7 @@ export default async (req, res) => {
  await useAuth(req, res);

  const { user_id, include_all } = req.query;
+
  const { userId: currentUserId, isAdmin } = req.auth;
  const accountUuid = user_id || req.auth.accountUuid;
  let account;
@@ -18,7 +19,7 @@ export default async (req, res) => {
  const userId = account ? account.id : user_id;

  if (req.method === 'GET') {
-    if (userId && userId !== currentUserId && !isAdmin) {
+    if (!userId || (userId !== currentUserId && !isAdmin)) {
      return unauthorized(res);
    }