fix: 🛂 Protect from others to consult typebots and folders
This commit is contained in:
Baptiste Arnaud
@ -1,5 +1,5 @@
|
|||||||
import { withSentry } from '@sentry/nextjs'
|
import { withSentry } from '@sentry/nextjs'
|
||||||
import { DashboardFolder } from 'db'
|
import { DashboardFolder, User } from 'db'
|
||||||
import prisma from 'libs/prisma'
|
import prisma from 'libs/prisma'
|
||||||
import { NextApiRequest, NextApiResponse } from 'next'
|
import { NextApiRequest, NextApiResponse } from 'next'
|
||||||
import { getSession } from 'next-auth/react'
|
import { getSession } from 'next-auth/react'
|
||||||
@ -12,22 +12,23 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
|
|||||||
return res.status(401).json({ message: 'Not authenticated' })
|
return res.status(401).json({ message: 'Not authenticated' })
|
||||||
|
|
||||||
const id = req.query.id.toString()
|
const id = req.query.id.toString()
|
||||||
|
const user = session.user as User
|
||||||
if (req.method === 'GET') {
|
if (req.method === 'GET') {
|
||||||
const folder = await prisma.dashboardFolder.findUnique({
|
const folder = await prisma.dashboardFolder.findUnique({
|
||||||
where: { id },
|
where: { id_ownerId: { id, ownerId: user.id } },
|
||||||
})
|
})
|
||||||
return res.send({ folder })
|
return res.send({ folder })
|
||||||
}
|
}
|
||||||
if (req.method === 'DELETE') {
|
if (req.method === 'DELETE') {
|
||||||
const folders = await prisma.dashboardFolder.delete({
|
const folders = await prisma.dashboardFolder.delete({
|
||||||
where: { id },
|
where: { id_ownerId: { id, ownerId: user.id } },
|
||||||
})
|
})
|
||||||
return res.send({ folders })
|
return res.send({ folders })
|
||||||
}
|
}
|
||||||
if (req.method === 'PATCH') {
|
if (req.method === 'PATCH') {
|
||||||
const data = JSON.parse(req.body) as Partial<DashboardFolder>
|
const data = JSON.parse(req.body) as Partial<DashboardFolder>
|
||||||
const folders = await prisma.dashboardFolder.update({
|
const folders = await prisma.dashboardFolder.update({
|
||||||
where: { id },
|
where: { id_ownerId: { id, ownerId: user.id } },
|
||||||
data,
|
data,
|
||||||
})
|
})
|
||||||
return res.send({ typebots: folders })
|
return res.send({ typebots: folders })
|
||||||
|
|||||||
@ -1,4 +1,5 @@
|
|||||||
import { withSentry } from '@sentry/nextjs'
|
import { withSentry } from '@sentry/nextjs'
|
||||||
|
import { User } from 'db'
|
||||||
import prisma from 'libs/prisma'
|
import prisma from 'libs/prisma'
|
||||||
import { NextApiRequest, NextApiResponse } from 'next'
|
import { NextApiRequest, NextApiResponse } from 'next'
|
||||||
import { getSession } from 'next-auth/react'
|
import { getSession } from 'next-auth/react'
|
||||||
@ -11,9 +12,10 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
|
|||||||
return res.status(401).json({ message: 'Not authenticated' })
|
return res.status(401).json({ message: 'Not authenticated' })
|
||||||
|
|
||||||
const typebotId = req.query.typebotId.toString()
|
const typebotId = req.query.typebotId.toString()
|
||||||
|
const user = session.user as User
|
||||||
if (req.method === 'GET') {
|
if (req.method === 'GET') {
|
||||||
const typebot = await prisma.typebot.findUnique({
|
const typebot = await prisma.typebot.findUnique({
|
||||||
where: { id: typebotId },
|
where: { id_ownerId: { id: typebotId, ownerId: user.id } },
|
||||||
include: {
|
include: {
|
||||||
publishedTypebot: true,
|
publishedTypebot: true,
|
||||||
},
|
},
|
||||||
@ -24,14 +26,14 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
|
|||||||
}
|
}
|
||||||
if (req.method === 'DELETE') {
|
if (req.method === 'DELETE') {
|
||||||
const typebots = await prisma.typebot.delete({
|
const typebots = await prisma.typebot.delete({
|
||||||
where: { id: typebotId },
|
where: { id_ownerId: { id: typebotId, ownerId: user.id } },
|
||||||
})
|
})
|
||||||
return res.send({ typebots })
|
return res.send({ typebots })
|
||||||
}
|
}
|
||||||
if (req.method === 'PUT') {
|
if (req.method === 'PUT') {
|
||||||
const data = JSON.parse(req.body)
|
const data = JSON.parse(req.body)
|
||||||
const typebots = await prisma.typebot.update({
|
const typebots = await prisma.typebot.update({
|
||||||
where: { id: typebotId },
|
where: { id_ownerId: { id: typebotId, ownerId: user.id } },
|
||||||
data: {
|
data: {
|
||||||
...data,
|
...data,
|
||||||
theme: data.theme ?? undefined,
|
theme: data.theme ?? undefined,
|
||||||
@ -43,7 +45,7 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
|
|||||||
if (req.method === 'PATCH') {
|
if (req.method === 'PATCH') {
|
||||||
const data = JSON.parse(req.body)
|
const data = JSON.parse(req.body)
|
||||||
const typebots = await prisma.typebot.update({
|
const typebots = await prisma.typebot.update({
|
||||||
where: { id: typebotId },
|
where: { id_ownerId: { id: typebotId, ownerId: user.id } },
|
||||||
data,
|
data,
|
||||||
})
|
})
|
||||||
return res.send({ typebots })
|
return res.send({ typebots })
|
||||||
|
|||||||
@ -0,0 +1,16 @@
|
|||||||
|
/*
|
||||||
|
Warnings:
|
||||||
|
|
||||||
|
- A unique constraint covering the columns `[code]` on the table `Coupon` will be added. If there are existing duplicate values, this will fail.
|
||||||
|
- A unique constraint covering the columns `[id,ownerId]` on the table `DashboardFolder` will be added. If there are existing duplicate values, this will fail.
|
||||||
|
- A unique constraint covering the columns `[id,ownerId]` on the table `Typebot` will be added. If there are existing duplicate values, this will fail.
|
||||||
|
|
||||||
|
*/
|
||||||
|
-- CreateIndex
|
||||||
|
CREATE UNIQUE INDEX "Coupon_code_key" ON "Coupon"("code");
|
||||||
|
|
||||||
|
-- CreateIndex
|
||||||
|
CREATE UNIQUE INDEX "DashboardFolder_id_ownerId_key" ON "DashboardFolder"("id", "ownerId");
|
||||||
|
|
||||||
|
-- CreateIndex
|
||||||
|
CREATE UNIQUE INDEX "Typebot_id_ownerId_key" ON "Typebot"("id", "ownerId");
|
||||||
@ -96,6 +96,7 @@ model DashboardFolder {
|
|||||||
parentFolder DashboardFolder? @relation("ParentChild", fields: [parentFolderId], references: [id])
|
parentFolder DashboardFolder? @relation("ParentChild", fields: [parentFolderId], references: [id])
|
||||||
childrenFolder DashboardFolder[] @relation("ParentChild")
|
childrenFolder DashboardFolder[] @relation("ParentChild")
|
||||||
typebots Typebot[]
|
typebots Typebot[]
|
||||||
|
@@unique([id, ownerId])
|
||||||
}
|
}
|
||||||
|
|
||||||
model Typebot {
|
model Typebot {
|
||||||
@ -117,6 +118,7 @@ model Typebot {
|
|||||||
settings Json
|
settings Json
|
||||||
publicId String? @unique
|
publicId String? @unique
|
||||||
customDomain String? @unique
|
customDomain String? @unique
|
||||||
|
@@unique([id, ownerId])
|
||||||
}
|
}
|
||||||
|
|
||||||
model PublicTypebot {
|
model PublicTypebot {
|
||||||
@ -157,6 +159,6 @@ model Answer {
|
|||||||
|
|
||||||
model Coupon {
|
model Coupon {
|
||||||
userPropertiesToUpdate Json
|
userPropertiesToUpdate Json
|
||||||
code String @id
|
code String @id @unique
|
||||||
dateRedeemed DateTime?
|
dateRedeemed DateTime?
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user