Update permissions.

2023-01-16 13:47:19 -08:00 · 2023-01-16 13:47:19 -08:00 · dd2d9dc3f5
parent f1db3d0451
commit dd2d9dc3f5
4 changed files with 5 additions and 6 deletions
--- a/lib/auth.js
+++ b/lib/auth.js
@ -35,7 +35,7 @@ export function isValidToken(token, validation) {
  return false;
 }
-export async function allowQuery(req, type) {
+export async function allowQuery(req, type, allowShareToken = true) {
  const { id } = req.query;
  const { userId, isAdmin, shareToken } = req.auth ?? {};
@ -44,7 +44,7 @@ export async function allowQuery(req, type) {
    return true;
  }
-  if (shareToken) {
+  if (allowShareToken && shareToken) {
    return isValidToken(shareToken, { id });
  }
--- a/pages/api/accounts/[id]/password.js
+++ b/pages/api/accounts/[id]/password.js
@ -17,7 +17,7 @@ export default async (req, res) => {
  const { current_password, new_password } = req.body;
  const { id: accountUuid } = req.query;
-  if (!(await allowQuery(req, TYPE_ACCOUNT))) {
+  if (!(await allowQuery(req, TYPE_ACCOUNT, false))) {
    return unauthorized(res);
  }
--- a/pages/api/websites/[id]/index.js
+++ b/pages/api/websites/[id]/index.js
@ -9,9 +9,8 @@ export default async (req, res) => {
  await useAuth(req, res);
  const { id: websiteUuid } = req.query;
  const { userId } = req.auth;
-  if (!userId || !(await allowQuery(req, TYPE_WEBSITE))) {
+  if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
    return unauthorized(res);
  }
--- a/pages/api/websites/[id]/reset.js
+++ b/pages/api/websites/[id]/reset.js
@ -11,7 +11,7 @@ export default async (req, res) => {
  const { id: websiteId } = req.query;
  if (req.method === 'POST') {
-    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
      return unauthorized(res);
    }