Add admin check. (umami-software#1716)

* Add admin check.

* Fix teamId check.

lib/auth.ts

@@ -1,9 +1,10 @@
-import { parseSecureToken, parseToken, ensureArray } from 'next-basics';
 import debug from 'debug';
 import cache from 'lib/cache';
-import { SHARE_TOKEN_HEADER, PERMISSIONS, ROLE_PERMISSIONS } from 'lib/constants';
+import { PERMISSIONS, ROLE_PERMISSIONS, SHARE_TOKEN_HEADER } from 'lib/constants';
 import { secret } from 'lib/crypto';
+import { ensureArray, parseSecureToken, parseToken } from 'next-basics';
 import { getTeamUser } from 'queries';
+import { Auth } from './types';
 
 const log = debug('umami:auth');
 
@@ -48,45 +49,71 @@ export function isValidToken(token, validation) {
   return false;
 }
 
-export async function canViewWebsite(userId: string, websiteId: string) {
+export async function canViewWebsite({ user }: Auth, websiteId: string) {
+  if (user.isAdmin) {
+    return true;
+  }
+
   const website = await cache.fetchWebsite(websiteId);
 
   if (website.userId) {
-    return userId === website.userId;
+    return user.id === website.userId;
   }
 
   if (website.teamId) {
-    return getTeamUser(website.teamId, userId);
+    return getTeamUser(website.teamId, user.id);
   }
 
   return false;
 }
 
-export async function canUpdateWebsite(userId: string, websiteId: string) {
+export async function canCreateWebsite({ user }: Auth, teamId?: string) {
+  if (user.isAdmin) {
+    return true;
+  }
+
+  if (teamId) {
+    const teamUser = await getTeamUser(teamId, user.id);
+
+    return hasPermission(teamUser.role, PERMISSIONS.websiteCreate);
+  }
+
+  return hasPermission(user.role, PERMISSIONS.websiteCreate);
+}
+
+export async function canUpdateWebsite({ user }: Auth, websiteId: string) {
+  if (user.isAdmin) {
+    return true;
+  }
+
   const website = await cache.fetchWebsite(websiteId);
 
   if (website.userId) {
-    return userId === website.userId;
+    return user.id === website.userId;
   }
 
   if (website.teamId) {
-    const teamUser = await getTeamUser(website.teamId, userId);
+    const teamUser = await getTeamUser(website.teamId, user.id);
 
     return hasPermission(teamUser.role, PERMISSIONS.websiteUpdate);
   }
 
   return false;
 }
 
-export async function canDeleteWebsite(userId: string, websiteId: string) {
+export async function canDeleteWebsite({ user }: Auth, websiteId: string) {
+  if (user.isAdmin) {
+    return true;
+  }
+
   const website = await cache.fetchWebsite(websiteId);
 
   if (website.userId) {
-    return userId === website.userId;
+    return user.id === website.userId;
   }
 
   if (website.teamId) {
-    const teamUser = await getTeamUser(website.teamId, userId);
+    const teamUser = await getTeamUser(website.teamId, user.id);
 
     return hasPermission(teamUser.role, PERMISSIONS.websiteDelete);
   }
@@ -95,33 +122,69 @@ export async function canDeleteWebsite(userId: string, websiteId: string) {
 }
 
 // To-do: Implement when payments are setup.
-export async function canCreateTeam(userId: string) {
-  return !!userId;
+export async function canCreateTeam({ user }: Auth) {
+  if (user.isAdmin) {
+    return true;
+  }
+
+  return !!user;
 }
 
 // To-do: Implement when payments are setup.
-export async function canViewTeam(userId: string, teamId) {
-  return getTeamUser(teamId, userId);
+export async function canViewTeam({ user }: Auth, teamId: string) {
+  if (user.isAdmin) {
+    return true;
+  }
+
+  return getTeamUser(teamId, user.id);
 }
 
-export async function canUpdateTeam(userId: string, teamId: string) {
-  const teamUser = await getTeamUser(teamId, userId);
+export async function canUpdateTeam({ user }: Auth, teamId: string) {
+  if (user.isAdmin) {
+    return true;
+  }
+
+  const teamUser = await getTeamUser(teamId, user.id);
 
   return hasPermission(teamUser.role, PERMISSIONS.teamUpdate);
 }
 
-export async function canDeleteTeam(userId: string, teamId: string) {
-  const teamUser = await getTeamUser(teamId, userId);
+export async function canDeleteTeam({ user }: Auth, teamId: string) {
+  if (user.isAdmin) {
+    return true;
+  }
+
+  const teamUser = await getTeamUser(teamId, user.id);
 
   return hasPermission(teamUser.role, PERMISSIONS.teamDelete);
 }
 
-export async function canViewUser(userId: string, viewedUserId: string) {
-  return userId === viewedUserId;
+export async function canCreateUser({ user }: Auth) {
+  return user.isAdmin;
+}
+
+export async function canViewUser({ user }: Auth, viewedUserId: string) {
+  if (user.isAdmin) {
+    return true;
+  }
+
+  return user.id === viewedUserId;
+}
+
+export async function canViewUsers({ user }: Auth) {
+  return user.isAdmin;
+}
+
+export async function canUpdateUser({ user }: Auth, viewedUserId: string) {
+  if (user.isAdmin) {
+    return true;
+  }
+
+  return user.id === viewedUserId;
 }
 
-export async function canUpdateUser(userId: string, viewedUserId: string) {
-  return userId === viewedUserId;
+export async function canDeleteUser({ user }: Auth) {
+  return user.isAdmin;
 }
 
 export async function hasPermission(role: string, permission: string | string[]) {

lib/constants.ts

@@ -25,7 +25,7 @@ export const REALTIME_INTERVAL = 3000;
 export const EVENT_TYPE = {
   pageView: 1,
   customEvent: 2,
-};
+} as const;
 
 export const ROLES = {
   admin: 'admin',
@@ -43,7 +43,7 @@ export const PERMISSIONS = {
   teamCreate: 'team:create',
   teamUpdate: 'team:update',
   teamDelete: 'team:delete',
-};
+} as const;
 
 export const ROLE_PERMISSIONS = {
   [ROLES.admin]: [PERMISSIONS.all],
@@ -66,7 +66,7 @@ export const ROLE_PERMISSIONS = {
     PERMISSIONS.websiteDelete,
   ],
   [ROLES.teamGuest]: [],
-};
+} as const;
 
 export const THEME_COLORS = {
   light: {

pages/api/teams/[id]/index.ts

@@ -20,13 +20,10 @@ export default async (
 ) => {
   await useAuth(req, res);
 
-  const {
-    user: { id: userId },
-  } = req.auth;
   const { id: teamId } = req.query;
 
   if (req.method === 'GET') {
-    if (!(await canViewTeam(userId, teamId))) {
+    if (!(await canViewTeam(req.auth, teamId))) {
       return unauthorized(res);
     }
 
@@ -38,7 +35,7 @@ export default async (
   if (req.method === 'POST') {
     const { name } = req.body;
 
-    if (!(await canUpdateTeam(userId, teamId))) {
+    if (!(await canUpdateTeam(req.auth, teamId))) {
       return unauthorized(res, 'You must be the owner of this team.');
     }
 
@@ -48,7 +45,7 @@ export default async (
   }
 
   if (req.method === 'DELETE') {
-    if (!(await canDeleteTeam(userId, teamId))) {
+    if (!(await canDeleteTeam(req.auth, teamId))) {
       return unauthorized(res, 'You must be the owner of this team.');
     }
 

pages/api/teams/[id]/users.ts

@@ -21,13 +21,10 @@ export default async (
 ) => {
   await useAuth(req, res);
 
-  const {
-    user: { id: userId },
-  } = req.auth;
   const { id: teamId } = req.query;
 
   if (req.method === 'GET') {
-    if (!(await canViewTeam(userId, teamId))) {
+    if (!(await canViewTeam(req.auth, teamId))) {
       return unauthorized(res);
     }
 
@@ -37,7 +34,7 @@ export default async (
   }
 
   if (req.method === 'POST') {
-    if (!(await canUpdateTeam(userId, teamId))) {
+    if (!(await canUpdateTeam(req.auth, teamId))) {
       return unauthorized(res, 'You must be the owner of this team.');
     }
 
@@ -56,7 +53,7 @@ export default async (
   }
 
   if (req.method === 'DELETE') {
-    if (await canUpdateTeam(userId, teamId)) {
+    if (await canUpdateTeam(req.auth, teamId)) {
       return unauthorized(res, 'You must be the owner of this team.');
     }
     const { teamUserId } = req.body;

pages/api/teams/[id]/websites.ts

@@ -20,13 +20,10 @@ export default async (
 ) => {
   await useAuth(req, res);
 
-  const {
-    user: { id: userId },
-  } = req.auth;
   const { id: teamId } = req.query;
 
   if (req.method === 'GET') {
-    if (await canViewTeam(userId, teamId)) {
+    if (await canViewTeam(req.auth, teamId)) {
       return unauthorized(res);
     }
 

pages/api/teams/index.ts

@@ -28,7 +28,7 @@ export default async (
   }
 
   if (req.method === 'POST') {
-    if (!(await canCreateTeam(userId))) {
+    if (!(await canCreateTeam(req.auth))) {
       return unauthorized(res);
     }
 

pages/api/users/[id]/index.ts

@@ -1,5 +1,5 @@
 import { NextApiRequestQueryBody } from 'lib/types';
-import { canUpdateUser, canViewUser } from 'lib/auth';
+import { canDeleteUser, canUpdateUser, canViewUser } from 'lib/auth';
 import { useAuth } from 'lib/middleware';
 import { NextApiResponse } from 'next';
 import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
@@ -26,7 +26,7 @@ export default async (
   const { id } = req.query;
 
   if (req.method === 'GET') {
-    if (!isAdmin && !(await canViewUser(userId, id))) {
+    if (!(await canViewUser(req.auth, id))) {
       return unauthorized(res);
     }
 
@@ -36,7 +36,7 @@ export default async (
   }
 
   if (req.method === 'POST') {
-    if (!isAdmin && !(await canUpdateUser(userId, id))) {
+    if (!(await canUpdateUser(req.auth, id))) {
       return unauthorized(res);
     }
 
@@ -71,7 +71,7 @@ export default async (
   }
 
   if (req.method === 'DELETE') {
-    if (!isAdmin) {
+    if (!(await canDeleteUser(req.auth))) {
       return unauthorized(res);
     }
 

pages/api/users/[id]/password.ts

@@ -29,12 +29,9 @@ export default async (
 
   const { currentPassword, newPassword } = req.body;
   const { id } = req.query;
-  const {
-    user: { id: userId, isAdmin },
-  } = req.auth;
 
   if (req.method === 'POST') {
-    if (!isAdmin && !(await canUpdateUser(userId, id))) {
+    if (!(await canUpdateUser(req.auth, id))) {
       return unauthorized(res);
     }
 

pages/api/users/[id]/websites.ts

@@ -1,9 +1,10 @@
 import { Prisma } from '@prisma/client';
-import { NextApiRequestQueryBody } from 'lib/types';
+import { canCreateWebsite } from 'lib/auth';
 import { uuid } from 'lib/crypto';
 import { useAuth, useCors } from 'lib/middleware';
+import { NextApiRequestQueryBody } from 'lib/types';
 import { NextApiResponse } from 'next';
-import { methodNotAllowed, ok } from 'next-basics';
+import { methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { createWebsite, getUserWebsites } from 'queries';
 
 export interface WebsitesRequestQuery {}
@@ -35,6 +36,10 @@ export default async (
   if (req.method === 'POST') {
     const { name, domain, shareId, teamId } = req.body;
 
+    if (!(await canCreateWebsite(req.auth, teamId))) {
+      return unauthorized(res);
+    }
+
     const data: Prisma.WebsiteUncheckedCreateInput = {
       id: uuid(),
       name,

pages/api/users/index.ts

@@ -1,7 +1,8 @@
-import { NextApiRequestQueryBody } from 'lib/types';
+import { canCreateUser, canViewUsers } from 'lib/auth';
+import { ROLES } from 'lib/constants';
 import { uuid } from 'lib/crypto';
 import { useAuth } from 'lib/middleware';
-import { ROLES } from 'lib/constants';
+import { NextApiRequestQueryBody } from 'lib/types';
 import { NextApiResponse } from 'next';
 import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { createUser, getUser, getUsers, User } from 'queries';
@@ -18,12 +19,8 @@ export default async (
 ) => {
   await useAuth(req, res);
 
-  const {
-    user: { isAdmin },
-  } = req.auth;
-
   if (req.method === 'GET') {
-    if (!isAdmin) {
+    if (!(await canViewUsers(req.auth))) {
       return unauthorized(res);
     }
 
@@ -33,7 +30,7 @@ export default async (
   }
 
   if (req.method === 'POST') {
-    if (!isAdmin) {
+    if (!(await canCreateUser(req.auth))) {
       return unauthorized(res);
     }