diff --git a/lib/auth.js b/lib/auth.js index 93027544..d485b977 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -35,7 +35,7 @@ export function isValidToken(token, validation) { return false; } -export async function allowQuery(req, type) { +export async function allowQuery(req, type, allowShareToken = true) { const { id } = req.query; const { userId, isAdmin, shareToken } = req.auth ?? {}; @@ -44,7 +44,7 @@ export async function allowQuery(req, type) { return true; } - if (shareToken) { + if (allowShareToken && shareToken) { return isValidToken(shareToken, { id }); } diff --git a/pages/api/accounts/[id]/password.js b/pages/api/accounts/[id]/password.js index 89649c20..5dde1258 100644 --- a/pages/api/accounts/[id]/password.js +++ b/pages/api/accounts/[id]/password.js @@ -17,7 +17,7 @@ export default async (req, res) => { const { current_password, new_password } = req.body; const { id: accountUuid } = req.query; - if (!(await allowQuery(req, TYPE_ACCOUNT))) { + if (!(await allowQuery(req, TYPE_ACCOUNT, false))) { return unauthorized(res); } diff --git a/pages/api/websites/[id]/index.js b/pages/api/websites/[id]/index.js index 87f3f492..57b053b6 100644 --- a/pages/api/websites/[id]/index.js +++ b/pages/api/websites/[id]/index.js @@ -9,9 +9,8 @@ export default async (req, res) => { await useAuth(req, res); const { id: websiteUuid } = req.query; - const { userId } = req.auth; - if (!userId || !(await allowQuery(req, TYPE_WEBSITE))) { + if (!(await allowQuery(req, TYPE_WEBSITE, false))) { return unauthorized(res); } diff --git a/pages/api/websites/[id]/reset.js b/pages/api/websites/[id]/reset.js index 0dde02df..0075a74d 100644 --- a/pages/api/websites/[id]/reset.js +++ b/pages/api/websites/[id]/reset.js @@ -11,7 +11,7 @@ export default async (req, res) => { const { id: websiteId } = req.query; if (req.method === 'POST') { - if (!(await allowQuery(req, TYPE_WEBSITE))) { + if (!(await allowQuery(req, TYPE_WEBSITE, false))) { return unauthorized(res); }