From 49b78d687c1f670001c3b24136d7c783d076107a Mon Sep 17 00:00:00 2001 From: Hrishikesh Patil Date: Fri, 6 Sep 2024 10:48:30 +0530 Subject: [PATCH] Make sure admin server actions are authenticated Signed-off-by: Hrishikesh Patil --- src/actions/admin.ts | 85 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 82 insertions(+), 3 deletions(-) diff --git a/src/actions/admin.ts b/src/actions/admin.ts index 701fc69..c3c2e59 100644 --- a/src/actions/admin.ts +++ b/src/actions/admin.ts @@ -1,9 +1,25 @@ "use server"; +import { auth } from "@/auth"; import { db } from "@/db"; import { redirect } from "next/navigation"; export async function getAllUsers() { + const user = await auth(); + if (!user || !user.user) { + return { + _form: "You are not admin!", + _formError: "UNAUTHORISED", + }; + } else { + const dbUser = await db.user.findFirst({ where: { id: user.user.id } }); + if (dbUser && dbUser.level !== "ADMIN") { + return { + _form: "You are not admin!", + _formError: "UNAUTHORISED", + }; + } + } return db.user.findMany({ include: { Links: true, @@ -12,14 +28,47 @@ export async function getAllUsers() { } export async function editUser(id: string, linkLimit: number) { - const user = await db.user.findFirst({ where: { id } }); - if (!user) return -1; - const newUser = await db.user.update({ where: { id }, data: { linkLimit } }); + const user = await auth(); + if (!user || !user.user) { + return { + _form: "You are not admin!", + _formError: "UNAUTHORISED", + }; + } else { + const dbUser = await db.user.findFirst({ where: { id: user.user.id } }); + if (dbUser && dbUser.level !== "ADMIN") { + return { + _form: "You are not admin!", + _formError: "UNAUTHORISED", + }; + } + } + const editUser = await db.user.findFirst({ where: { id } }); + if (!editUser) return -1; + const newUser = await db.user.update({ + where: { id }, + data: { linkLimit }, + }); newUser.linkLimit; redirect("/admin/dashboard"); } export async function getAllLinks() { + const user = await auth(); + if (!user || !user.user) { + return { + _form: "You are not admin!", + _formError: "UNAUTHORISED", + }; + } else { + const dbUser = await db.user.findFirst({ where: { id: user.user.id } }); + if (dbUser && dbUser.level !== "ADMIN") { + return { + _form: "You are not admin!", + _formError: "UNAUTHORISED", + }; + } + } return db.link.findMany({ include: { User: true, @@ -38,6 +87,21 @@ export async function modifyLink( disabledMessage: string, disabled: boolean ) { + const user = await auth(); + if (!user || !user.user) { + return { + _form: "You are not admin!", + _formError: "UNAUTHORISED", + }; + } else { + const dbUser = await db.user.findFirst({ where: { id: user.user.id } }); + if (dbUser && dbUser.level !== "ADMIN") { + return { + _form: "You are not admin!", + _formError: "UNAUTHORISED", + }; + } + } const link = await db.link.findFirst({ where: { id: shortCode.toLowerCase() }, }); @@ -50,6 +114,21 @@ export async function modifyLink( } export async function deleteReports(shortCode: string) { + const user = await auth(); + if (!user || !user.user) { + return { + _form: "You are not admin!", + _formError: "UNAUTHORISED", + }; + } else { + const dbUser = await db.user.findFirst({ where: { id: user.user.id } }); + if (dbUser && dbUser.level !== "ADMIN") { + return { + _form: "You are not admin!", + _formError: "UNAUTHORISED", + }; + } + } await db.report.deleteMany({ where: { linkId: shortCode }, });