From dd2d9dc3f5bd5ab0da10df6a336d51657207d849 Mon Sep 17 00:00:00 2001
From: Brian Cao <brian@umami.is>
Date: Mon, 16 Jan 2023 13:47:19 -0800
Subject: [PATCH] Update permissions.

---
 lib/auth.js                         | 4 ++--
 pages/api/accounts/[id]/password.js | 2 +-
 pages/api/websites/[id]/index.js    | 3 +--
 pages/api/websites/[id]/reset.js    | 2 +-
 4 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/lib/auth.js b/lib/auth.js
index 93027544..d485b977 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -35,7 +35,7 @@ export function isValidToken(token, validation) {
   return false;
 }
 
-export async function allowQuery(req, type) {
+export async function allowQuery(req, type, allowShareToken = true) {
   const { id } = req.query;
 
   const { userId, isAdmin, shareToken } = req.auth ?? {};
@@ -44,7 +44,7 @@ export async function allowQuery(req, type) {
     return true;
   }
 
-  if (shareToken) {
+  if (allowShareToken && shareToken) {
     return isValidToken(shareToken, { id });
   }
 
diff --git a/pages/api/accounts/[id]/password.js b/pages/api/accounts/[id]/password.js
index 89649c20..5dde1258 100644
--- a/pages/api/accounts/[id]/password.js
+++ b/pages/api/accounts/[id]/password.js
@@ -17,7 +17,7 @@ export default async (req, res) => {
   const { current_password, new_password } = req.body;
   const { id: accountUuid } = req.query;
 
-  if (!(await allowQuery(req, TYPE_ACCOUNT))) {
+  if (!(await allowQuery(req, TYPE_ACCOUNT, false))) {
     return unauthorized(res);
   }
 
diff --git a/pages/api/websites/[id]/index.js b/pages/api/websites/[id]/index.js
index 87f3f492..57b053b6 100644
--- a/pages/api/websites/[id]/index.js
+++ b/pages/api/websites/[id]/index.js
@@ -9,9 +9,8 @@ export default async (req, res) => {
   await useAuth(req, res);
 
   const { id: websiteUuid } = req.query;
-  const { userId } = req.auth;
 
-  if (!userId || !(await allowQuery(req, TYPE_WEBSITE))) {
+  if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
     return unauthorized(res);
   }
 
diff --git a/pages/api/websites/[id]/reset.js b/pages/api/websites/[id]/reset.js
index 0dde02df..0075a74d 100644
--- a/pages/api/websites/[id]/reset.js
+++ b/pages/api/websites/[id]/reset.js
@@ -11,7 +11,7 @@ export default async (req, res) => {
   const { id: websiteId } = req.query;
 
   if (req.method === 'POST') {
-    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
       return unauthorized(res);
     }