Fix share URL permissions.

2023-01-16 09:30:46 -08:00 · 2023-01-16 09:30:46 -08:00 · cc46cfdcbf
parent 05c7196bc6
commit cc46cfdcbf
3 changed files with 23 additions and 15 deletions
--- a/components/layout/Header.js
+++ b/components/layout/Header.js
@ -29,8 +29,10 @@ export default function Header() {
          <Icon icon={<Logo />} size="large" className={styles.logo} />
          <Link href={isSharePage ? HOMEPAGE_URL : '/'}>umami</Link>
        </div>
-        <HamburgerButton />
+
        {user && (
          <>
            <HamburgerButton />
            <div className={styles.links}>
              <Link href="/dashboard">
                <FormattedMessage id="label.dashboard" defaultMessage="Dashboard" />
@ -44,6 +46,7 @@ export default function Header() {
                </Link>
              )}
            </div>
          </>
        )}
        <div className={styles.buttons}>
          <ThemeButton />
--- a/pages/api/realtime/init.js
+++ b/pages/api/realtime/init.js
@ -1,5 +1,5 @@
 import { subMinutes } from 'date-fns';
-import { ok, methodNotAllowed, createToken } from 'next-basics';
+import { ok, unauthorized, methodNotAllowed, createToken } from 'next-basics';
 import { useAuth } from 'lib/middleware';
 import { getUserWebsites, getRealtimeData } from 'queries';
 import { secret } from 'lib/crypto';
@ -10,6 +10,10 @@ export default async (req, res) => {
  if (req.method === 'GET') {
    const { userId } = req.auth;
    if (!userId) {
      return unauthorized(res);
    }
    const websites = await getUserWebsites({ userId });
    const ids = websites.map(({ websiteUuid }) => websiteUuid);
    const token = createToken({ websites: ids }, secret());
--- a/pages/api/websites/index.js
+++ b/pages/api/websites/index.js
@ -7,6 +7,7 @@ export default async (req, res) => {
  await useAuth(req, res);
  const { user_id, include_all } = req.query;
  const { userId: currentUserId, isAdmin } = req.auth;
  const accountUuid = user_id || req.auth.accountUuid;
  let account;
@ -18,7 +19,7 @@ export default async (req, res) => {
  const userId = account ? account.id : user_id;
  if (req.method === 'GET') {
-    if (userId && userId !== currentUserId && !isAdmin) {
+    if (!userId || (userId !== currentUserId && !isAdmin)) {
      return unauthorized(res);
    }