Update permissions.

lib/auth.js

@@ -35,7 +35,7 @@ export function isValidToken(token, validation) {
   return false;
 }
 
-export async function allowQuery(req, type) {
+export async function allowQuery(req, type, allowShareToken = true) {
   const { id } = req.query;
 
   const { userId, isAdmin, shareToken } = req.auth ?? {};
@@ -44,7 +44,7 @@ export async function allowQuery(req, type) {
     return true;
   }
 
-  if (shareToken) {
+  if (allowShareToken && shareToken) {
     return isValidToken(shareToken, { id });
   }
 

pages/api/accounts/[id]/password.js

@@ -17,7 +17,7 @@ export default async (req, res) => {
   const { current_password, new_password } = req.body;
   const { id: accountUuid } = req.query;
 
-  if (!(await allowQuery(req, TYPE_ACCOUNT))) {
+  if (!(await allowQuery(req, TYPE_ACCOUNT, false))) {
     return unauthorized(res);
   }
 

pages/api/websites/[id]/index.js

@@ -9,9 +9,8 @@ export default async (req, res) => {
   await useAuth(req, res);
 
   const { id: websiteUuid } = req.query;
-  const { userId } = req.auth;
 
-  if (!userId || !(await allowQuery(req, TYPE_WEBSITE))) {
+  if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
     return unauthorized(res);
   }
 

pages/api/websites/[id]/reset.js

@@ -11,7 +11,7 @@ export default async (req, res) => {
   const { id: websiteId } = req.query;
 
   if (req.method === 'POST') {
-    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
       return unauthorized(res);
     }