Umami/umami
1
0
Fork 0
mirror of https://github.com/umami-software/umami.git synced 2026-05-30 06:47:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix IDOR for reports

Browse Source
This commit is contained in:
Francis Cao
2026-03-05 22:28:35 -08:00
parent a6c909f3df
commit fda83acdea
2 changed files with 29 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/app/api/reports/[reportId]/route.ts
+7 -4
View File
@@ -1,7 +1,7 @@
import { parseRequest } from '@/lib/request';
import { json, notFound, ok, unauthorized } from '@/lib/response';
import { reportSchema } from '@/lib/schema';
import { canDeleteWebsite, canUpdateWebsite, canViewReport } from '@/permissions';
import { canDeleteReport, canUpdateReport, canViewReport } from '@/permissions';
import { deleteReport, getReport, updateReport } from '@/queries/prisma';
export async function GET(request: Request, { params }: { params: Promise<{ reportId: string }> }) {
@@ -41,13 +41,12 @@ export async function POST(
return notFound();
}
if (!(await canUpdateWebsite(auth, websiteId))) {
if (!(await canUpdateReport(auth, report))) {
return unauthorized();
}
const result = await updateReport(reportId, {
websiteId,
userId: auth.user.id,
type,
name,
description,
@@ -70,7 +69,11 @@ export async function DELETE(
const { reportId } = await params;
const report = await getReport(reportId);
if (!(await canDeleteWebsite(auth, report.websiteId))) {
if (!report) {
return notFound();
}
if (!(await canDeleteReport(auth, report))) {
return unauthorized();
}
src/permissions/report.ts
+22 -6
View File
@@ -1,6 +1,6 @@
import type { Report } from '@/generated/prisma/client';
import type { Auth } from '@/lib/types';
import { canViewWebsite } from './website';
import { canDeleteWebsite, canUpdateWebsite, canViewWebsite } from './website';
export async function canViewReport(auth: Auth, report: Report) {
if (auth.user?.isAdmin) {
@@ -14,18 +14,34 @@ export async function canViewReport(auth: Auth, report: Report) {
return !!(await canViewWebsite(auth, report.websiteId));
}
export async function canUpdateReport({ user }: Auth, report: Report) {
if (!user) {
export async function canUpdateReport(auth: Auth, report: Report) {
if (!auth.user) {
return false;
}
if (user.isAdmin) {
if (auth.user.isAdmin) {
return true;
}
return user.id === report.userId;
if (auth.user.id === report.userId) {
return true;
}
return !!(await canUpdateWebsite(auth, report.websiteId));
}
export async function canDeleteReport(auth: Auth, report: Report) {
return canUpdateReport(auth, report);
if (!auth.user) {
return false;
}
if (auth.user.isAdmin) {
return true;
}
if (auth.user.id === report.userId) {
return true;
}
return !!(await canDeleteWebsite(auth, report.websiteId));
}