fix guest actions

2025-12-10 07:48:37 +01:00 · 2024-06-19 23:38:22 +02:00
parent c1a15c8fc2
commit 149592394d
9 changed files with 27 additions and 13 deletions
--- a/dashboard/server/LIVE_DEMO_DATA.ts
+++ b/dashboard/server/LIVE_DEMO_DATA.ts
@@ -3,7 +3,7 @@ import { ProjectModel } from "~/../shared/schema/ProjectSchema";
 import { LITLYX_PROJECT_ID } from '@data/LITLYX'
 import { hasAccessToProject } from "./utils/hasAccessToProject";

-export async function getUserProjectFromId(project_id: string, user: AuthContext | undefined) {
+export async function getUserProjectFromId(project_id: string, user: AuthContext | undefined, allowGuest: boolean = true) {
    if (project_id == LITLYX_PROJECT_ID) {
        const project = await ProjectModel.findOne({ _id: project_id });
        return project;
@@ -11,8 +11,9 @@ export async function getUserProjectFromId(project_id: string, user: AuthContext
        if (!user?.logged) return;
        const project = await ProjectModel.findById(project_id);
        if (!project) return;
-        const hasAccess = await hasAccessToProject(user.id, project_id, project);
+        const [hasAccess, role] = await hasAccessToProject(user.id, project_id, project);
        if (!hasAccess) return;
+        if (role === 'GUEST' && !allowGuest) return false;
        return project;
    }

--- a/dashboard/server/api/ai/[project_id]/send_message.post.ts
+++ b/dashboard/server/api/ai/[project_id]/send_message.post.ts
@@ -10,7 +10,7 @@ export default defineEventHandler(async event => {
    if (!project_id) return;

    const user = getRequestUser(event);
-    const project = await getUserProjectFromId(project_id, user);
+    const project = await getUserProjectFromId(project_id, user, false);
    if (!project) return;

    // if (!user?.logged) return;
--- a/dashboard/server/api/metrics/[project_id]/query.ts
+++ b/dashboard/server/api/metrics/[project_id]/query.ts
@@ -8,8 +8,12 @@ export default defineEventHandler(async event => {
    if (!user?.logged) return;
    const project_id = getRequestProjectId(event);
    if (!project_id) return;
-    const project = await ProjectModel.findOne({ _id: project_id, owner: user.id });
+    const project = await ProjectModel.findOne({ _id: project_id });
    if (!project) return;
+
+    const [hasAccess] = await hasAccessToProject(user.id, project_id, project)
+    if (!hasAccess) return;
+
    const query = getQuery(event);

    const { orderBy, order, page, limit, type } = query;
--- a/dashboard/server/api/pay/[project_id]/invoices.ts
+++ b/dashboard/server/api/pay/[project_id]/invoices.ts
@@ -17,7 +17,7 @@ export default defineEventHandler(async event => {
    if (!project_id) return;

    const user = getRequestUser(event);
-    const project = await getUserProjectFromId(project_id, user);
+    const project = await getUserProjectFromId(project_id, user, false);
    if (!project) return;

    if (!project.customer_id) return [];
--- a/dashboard/server/api/user/set_active_project.ts
+++ b/dashboard/server/api/user/set_active_project.ts
@@ -13,7 +13,7 @@ export default defineEventHandler(async event => {

    const { project_id } = getQuery(event);

-    const hasAccess = await hasAccessToProject(userData.id, project_id as string);
+    const [hasAccess] = await hasAccessToProject(userData.id, project_id as string);

    if (!hasAccess) return setResponseStatus(event, 400, 'No access to project');