Fix share URL permissions.

2023-01-16 09:30:46 -08:00 · 2023-01-16 09:30:46 -08:00 · cc46cfdcbf
parent 05c7196bc6
commit cc46cfdcbf
3 changed files with 23 additions and 15 deletions
--- a/components/layout/Header.js
+++ b/components/layout/Header.js
@ -29,21 +29,24 @@ export default function Header() {
          <Icon icon={<Logo />} size="large" className={styles.logo} />
          <Link href={isSharePage ? HOMEPAGE_URL : '/'}>umami</Link>
        </div>
-        <HamburgerButton />
+
        {user && (
-          <div className={styles.links}>
-            <Link href="/dashboard">
-              <FormattedMessage id="label.dashboard" defaultMessage="Dashboard" />
-            </Link>
-            <Link href="/realtime">
-              <FormattedMessage id="label.realtime" defaultMessage="Realtime" />
-            </Link>
-            {!process.env.isCloudMode && (
-              <Link href="/settings">
-                <FormattedMessage id="label.settings" defaultMessage="Settings" />
+          <>
+            <HamburgerButton />
+            <div className={styles.links}>
+              <Link href="/dashboard">
+                <FormattedMessage id="label.dashboard" defaultMessage="Dashboard" />
              </Link>
-            )}
-          </div>
+              <Link href="/realtime">
+                <FormattedMessage id="label.realtime" defaultMessage="Realtime" />
+              </Link>
+              {!process.env.isCloudMode && (
+                <Link href="/settings">
+                  <FormattedMessage id="label.settings" defaultMessage="Settings" />
+                </Link>
+              )}
+            </div>
+          </>
        )}
        <div className={styles.buttons}>
          <ThemeButton />
--- a/pages/api/realtime/init.js
+++ b/pages/api/realtime/init.js
@ -1,5 +1,5 @@
 import { subMinutes } from 'date-fns';
-import { ok, methodNotAllowed, createToken } from 'next-basics';
+import { ok, unauthorized, methodNotAllowed, createToken } from 'next-basics';
 import { useAuth } from 'lib/middleware';
 import { getUserWebsites, getRealtimeData } from 'queries';
 import { secret } from 'lib/crypto';
@ -10,6 +10,10 @@ export default async (req, res) => {
  if (req.method === 'GET') {
    const { userId } = req.auth;

+    if (!userId) {
+      return unauthorized(res);
+    }
+
    const websites = await getUserWebsites({ userId });
    const ids = websites.map(({ websiteUuid }) => websiteUuid);
    const token = createToken({ websites: ids }, secret());
--- a/pages/api/websites/index.js
+++ b/pages/api/websites/index.js
@ -7,6 +7,7 @@ export default async (req, res) => {
  await useAuth(req, res);

  const { user_id, include_all } = req.query;
+
  const { userId: currentUserId, isAdmin } = req.auth;
  const accountUuid = user_id || req.auth.accountUuid;
  let account;
@ -18,7 +19,7 @@ export default async (req, res) => {
  const userId = account ? account.id : user_id;

  if (req.method === 'GET') {
-    if (userId && userId !== currentUserId && !isAdmin) {
+    if (!userId || (userId !== currentUserId && !isAdmin)) {
      return unauthorized(res);
    }