fix: 🛂 Protect from others to consult typebots and folders

2022-02-18 18:18:38 +01:00
parent 7402ad5f6d
commit f6d5eb5777
4 changed files with 30 additions and 9 deletions
--- a/apps/builder/pages/api/folders/[id].ts
+++ b/apps/builder/pages/api/folders/[id].ts
@ -1,5 +1,5 @@
 import { withSentry } from '@sentry/nextjs'
-import { DashboardFolder } from 'db'
+import { DashboardFolder, User } from 'db'
 import prisma from 'libs/prisma'
 import { NextApiRequest, NextApiResponse } from 'next'
 import { getSession } from 'next-auth/react'
@ -12,22 +12,23 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
    return res.status(401).json({ message: 'Not authenticated' })

  const id = req.query.id.toString()
+  const user = session.user as User
  if (req.method === 'GET') {
    const folder = await prisma.dashboardFolder.findUnique({
-      where: { id },
+      where: { id_ownerId: { id, ownerId: user.id } },
    })
    return res.send({ folder })
  }
  if (req.method === 'DELETE') {
    const folders = await prisma.dashboardFolder.delete({
-      where: { id },
+      where: { id_ownerId: { id, ownerId: user.id } },
    })
    return res.send({ folders })
  }
  if (req.method === 'PATCH') {
    const data = JSON.parse(req.body) as Partial<DashboardFolder>
    const folders = await prisma.dashboardFolder.update({
-      where: { id },
+      where: { id_ownerId: { id, ownerId: user.id } },
      data,
    })
    return res.send({ typebots: folders })
--- a/apps/builder/pages/api/typebots/[typebotId].ts
+++ b/apps/builder/pages/api/typebots/[typebotId].ts
@ -1,4 +1,5 @@
 import { withSentry } from '@sentry/nextjs'
+import { User } from 'db'
 import prisma from 'libs/prisma'
 import { NextApiRequest, NextApiResponse } from 'next'
 import { getSession } from 'next-auth/react'
@ -11,9 +12,10 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
    return res.status(401).json({ message: 'Not authenticated' })

  const typebotId = req.query.typebotId.toString()
+  const user = session.user as User
  if (req.method === 'GET') {
    const typebot = await prisma.typebot.findUnique({
-      where: { id: typebotId },
+      where: { id_ownerId: { id: typebotId, ownerId: user.id } },
      include: {
        publishedTypebot: true,
      },
@ -24,14 +26,14 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
  }
  if (req.method === 'DELETE') {
    const typebots = await prisma.typebot.delete({
-      where: { id: typebotId },
+      where: { id_ownerId: { id: typebotId, ownerId: user.id } },
    })
    return res.send({ typebots })
  }
  if (req.method === 'PUT') {
    const data = JSON.parse(req.body)
    const typebots = await prisma.typebot.update({
-      where: { id: typebotId },
+      where: { id_ownerId: { id: typebotId, ownerId: user.id } },
      data: {
        ...data,
        theme: data.theme ?? undefined,
@ -43,7 +45,7 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
  if (req.method === 'PATCH') {
    const data = JSON.parse(req.body)
    const typebots = await prisma.typebot.update({
-      where: { id: typebotId },
+      where: { id_ownerId: { id: typebotId, ownerId: user.id } },
      data,
    })
    return res.send({ typebots })
--- a/packages/db/prisma/migrations/20220218171811_add_unique_constraints/migration.sql
+++ b/packages/db/prisma/migrations/20220218171811_add_unique_constraints/migration.sql
@ -0,0 +1,16 @@
+/*
+  Warnings:
+
+  - A unique constraint covering the columns `[code]` on the table `Coupon` will be added. If there are existing duplicate values, this will fail.
+  - A unique constraint covering the columns `[id,ownerId]` on the table `DashboardFolder` will be added. If there are existing duplicate values, this will fail.
+  - A unique constraint covering the columns `[id,ownerId]` on the table `Typebot` will be added. If there are existing duplicate values, this will fail.
+
+*/
+-- CreateIndex
+CREATE UNIQUE INDEX "Coupon_code_key" ON "Coupon"("code");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "DashboardFolder_id_ownerId_key" ON "DashboardFolder"("id", "ownerId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Typebot_id_ownerId_key" ON "Typebot"("id", "ownerId");
--- a/packages/db/prisma/schema.prisma
+++ b/packages/db/prisma/schema.prisma
@ -96,6 +96,7 @@ model DashboardFolder {
  parentFolder   DashboardFolder?  @relation("ParentChild", fields: [parentFolderId], references: [id])
  childrenFolder DashboardFolder[] @relation("ParentChild")
  typebots       Typebot[]
+  @@unique([id, ownerId])
 }

 model Typebot {
@ -117,6 +118,7 @@ model Typebot {
  settings           Json
  publicId           String?          @unique
  customDomain       String?          @unique
+  @@unique([id, ownerId])
 }

 model PublicTypebot {
@ -157,6 +159,6 @@ model Answer {

 model Coupon {
  userPropertiesToUpdate Json
-  code                   String    @id
+  code                   String    @id @unique
  dateRedeemed           DateTime?
 }