Skip to content

Commit

Permalink
fix: 🛂 Protect from others to consult typebots and folders
Browse files Browse the repository at this point in the history
  • Loading branch information
baptisteArno committed Feb 18, 2022
1 parent 7402ad5 commit f6d5eb5
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 9 deletions.
9 changes: 5 additions & 4 deletions apps/builder/pages/api/folders/[id].ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import { withSentry } from '@sentry/nextjs'
import { DashboardFolder } from 'db'
import { DashboardFolder, User } from 'db'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
Expand All @@ -12,22 +12,23 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
return res.status(401).json({ message: 'Not authenticated' })

const id = req.query.id.toString()
const user = session.user as User
if (req.method === 'GET') {
const folder = await prisma.dashboardFolder.findUnique({
where: { id },
where: { id_ownerId: { id, ownerId: user.id } },
})
return res.send({ folder })
}
if (req.method === 'DELETE') {
const folders = await prisma.dashboardFolder.delete({
where: { id },
where: { id_ownerId: { id, ownerId: user.id } },
})
return res.send({ folders })
}
if (req.method === 'PATCH') {
const data = JSON.parse(req.body) as Partial<DashboardFolder>
const folders = await prisma.dashboardFolder.update({
where: { id },
where: { id_ownerId: { id, ownerId: user.id } },
data,
})
return res.send({ typebots: folders })
Expand Down
10 changes: 6 additions & 4 deletions apps/builder/pages/api/typebots/[typebotId].ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { withSentry } from '@sentry/nextjs'
import { User } from 'db'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
Expand All @@ -11,9 +12,10 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
return res.status(401).json({ message: 'Not authenticated' })

const typebotId = req.query.typebotId.toString()
const user = session.user as User
if (req.method === 'GET') {
const typebot = await prisma.typebot.findUnique({
where: { id: typebotId },
where: { id_ownerId: { id: typebotId, ownerId: user.id } },
include: {
publishedTypebot: true,
},
Expand All @@ -24,14 +26,14 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
}
if (req.method === 'DELETE') {
const typebots = await prisma.typebot.delete({
where: { id: typebotId },
where: { id_ownerId: { id: typebotId, ownerId: user.id } },
})
return res.send({ typebots })
}
if (req.method === 'PUT') {
const data = JSON.parse(req.body)
const typebots = await prisma.typebot.update({
where: { id: typebotId },
where: { id_ownerId: { id: typebotId, ownerId: user.id } },
data: {
...data,
theme: data.theme ?? undefined,
Expand All @@ -43,7 +45,7 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
if (req.method === 'PATCH') {
const data = JSON.parse(req.body)
const typebots = await prisma.typebot.update({
where: { id: typebotId },
where: { id_ownerId: { id: typebotId, ownerId: user.id } },
data,
})
return res.send({ typebots })
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
/*
Warnings:
- A unique constraint covering the columns `[code]` on the table `Coupon` will be added. If there are existing duplicate values, this will fail.
- A unique constraint covering the columns `[id,ownerId]` on the table `DashboardFolder` will be added. If there are existing duplicate values, this will fail.
- A unique constraint covering the columns `[id,ownerId]` on the table `Typebot` will be added. If there are existing duplicate values, this will fail.
*/
-- CreateIndex
CREATE UNIQUE INDEX "Coupon_code_key" ON "Coupon"("code");

-- CreateIndex
CREATE UNIQUE INDEX "DashboardFolder_id_ownerId_key" ON "DashboardFolder"("id", "ownerId");

-- CreateIndex
CREATE UNIQUE INDEX "Typebot_id_ownerId_key" ON "Typebot"("id", "ownerId");
4 changes: 3 additions & 1 deletion packages/db/prisma/schema.prisma
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ model DashboardFolder {
parentFolder DashboardFolder? @relation("ParentChild", fields: [parentFolderId], references: [id])
childrenFolder DashboardFolder[] @relation("ParentChild")
typebots Typebot[]
@@unique([id, ownerId])
}

model Typebot {
Expand All @@ -117,6 +118,7 @@ model Typebot {
settings Json
publicId String? @unique
customDomain String? @unique
@@unique([id, ownerId])
}

model PublicTypebot {
Expand Down Expand Up @@ -157,6 +159,6 @@ model Answer {

model Coupon {
userPropertiesToUpdate Json
code String @id
code String @id @unique
dateRedeemed DateTime?
}

0 comments on commit f6d5eb5

Please sign in to comment.