From cc46cfdcbfd68f4ba6d35c088aa372277b806b16 Mon Sep 17 00:00:00 2001
From: Brian Cao <brian@umami.is>
Date: Mon, 16 Jan 2023 09:30:46 -0800
Subject: [PATCH] Fix share URL permissions.

---
 components/layout/Header.js | 29 ++++++++++++++++-------------
 pages/api/realtime/init.js  |  6 +++++-
 pages/api/websites/index.js |  3 ++-
 3 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/components/layout/Header.js b/components/layout/Header.js
index a81e016c..5f0ca386 100644
--- a/components/layout/Header.js
+++ b/components/layout/Header.js
@@ -29,21 +29,24 @@ export default function Header() {
           <Icon icon={<Logo />} size="large" className={styles.logo} />
           <Link href={isSharePage ? HOMEPAGE_URL : '/'}>umami</Link>
         </div>
-        <HamburgerButton />
+
         {user && (
-          <div className={styles.links}>
-            <Link href="/dashboard">
-              <FormattedMessage id="label.dashboard" defaultMessage="Dashboard" />
-            </Link>
-            <Link href="/realtime">
-              <FormattedMessage id="label.realtime" defaultMessage="Realtime" />
-            </Link>
-            {!process.env.isCloudMode && (
-              <Link href="/settings">
-                <FormattedMessage id="label.settings" defaultMessage="Settings" />
+          <>
+            <HamburgerButton />
+            <div className={styles.links}>
+              <Link href="/dashboard">
+                <FormattedMessage id="label.dashboard" defaultMessage="Dashboard" />
               </Link>
-            )}
-          </div>
+              <Link href="/realtime">
+                <FormattedMessage id="label.realtime" defaultMessage="Realtime" />
+              </Link>
+              {!process.env.isCloudMode && (
+                <Link href="/settings">
+                  <FormattedMessage id="label.settings" defaultMessage="Settings" />
+                </Link>
+              )}
+            </div>
+          </>
         )}
         <div className={styles.buttons}>
           <ThemeButton />
diff --git a/pages/api/realtime/init.js b/pages/api/realtime/init.js
index 9a9a4297..75ddf022 100644
--- a/pages/api/realtime/init.js
+++ b/pages/api/realtime/init.js
@@ -1,5 +1,5 @@
 import { subMinutes } from 'date-fns';
-import { ok, methodNotAllowed, createToken } from 'next-basics';
+import { ok, unauthorized, methodNotAllowed, createToken } from 'next-basics';
 import { useAuth } from 'lib/middleware';
 import { getUserWebsites, getRealtimeData } from 'queries';
 import { secret } from 'lib/crypto';
@@ -10,6 +10,10 @@ export default async (req, res) => {
   if (req.method === 'GET') {
     const { userId } = req.auth;
 
+    if (!userId) {
+      return unauthorized(res);
+    }
+
     const websites = await getUserWebsites({ userId });
     const ids = websites.map(({ websiteUuid }) => websiteUuid);
     const token = createToken({ websites: ids }, secret());
diff --git a/pages/api/websites/index.js b/pages/api/websites/index.js
index daecac88..f5fb6cfe 100644
--- a/pages/api/websites/index.js
+++ b/pages/api/websites/index.js
@@ -7,6 +7,7 @@ export default async (req, res) => {
   await useAuth(req, res);
 
   const { user_id, include_all } = req.query;
+
   const { userId: currentUserId, isAdmin } = req.auth;
   const accountUuid = user_id || req.auth.accountUuid;
   let account;
@@ -18,7 +19,7 @@ export default async (req, res) => {
   const userId = account ? account.id : user_id;
 
   if (req.method === 'GET') {
-    if (userId && userId !== currentUserId && !isAdmin) {
+    if (!userId || (userId !== currentUserId && !isAdmin)) {
       return unauthorized(res);
     }