Skip to content

Commit

Permalink
Ensure (site) editor role is properly handled in site actions auth
Browse files Browse the repository at this point in the history
  • Loading branch information
@zoldar
zoldar committed Feb 10, 2025
1 parent ef17f10 commit c591d0f
Show file tree
Hide file tree
Showing 17 changed files with 24 additions and 22 deletions.
12 changes: 6 additions & 6 deletions extra/lib/plausible_web/controllers/api/external_sites_controller.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ defmodule PlausibleWeb.Api.ExternalSitesController do
user = conn.assigns.current_user

with {:ok, site_id} <- expect_param_key(params, "site_id"),
{:ok, site} <- get_site(user, site_id, [:owner, :admin, :viewer]) do
{:ok, site} <- get_site(user, site_id, [:owner, :admin, :editor, :viewer]) do
page =
site
|> Plausible.Goals.for_site_query()
Expand Down Expand Up @@ -96,7 +96,7 @@ defmodule PlausibleWeb.Api.ExternalSitesController do
end

def get_site(conn, %{"site_id" => site_id}) do
case get_site(conn.assigns.current_user, site_id, [:owner, :admin, :viewer]) do
case get_site(conn.assigns.current_user, site_id, [:owner, :admin, :editor, :viewer]) do
{:ok, site} ->
json(conn, %{
domain: site.domain,
Expand All @@ -122,7 +122,7 @@ defmodule PlausibleWeb.Api.ExternalSitesController do

def update_site(conn, %{"site_id" => site_id} = params) do
# for now this only allows to change the domain
with {:ok, site} <- get_site(conn.assigns.current_user, site_id, [:owner, :admin]),
with {:ok, site} <- get_site(conn.assigns.current_user, site_id, [:owner, :admin, :editor]),
{:ok, site} <- Plausible.Site.Domain.change(site, params["domain"]) do
json(conn, site)
else
Expand All @@ -139,7 +139,7 @@ defmodule PlausibleWeb.Api.ExternalSitesController do
def find_or_create_shared_link(conn, params) do
with {:ok, site_id} <- expect_param_key(params, "site_id"),
{:ok, link_name} <- expect_param_key(params, "name"),
{:ok, site} <- get_site(conn.assigns.current_user, site_id, [:owner, :admin]) do
{:ok, site} <- get_site(conn.assigns.current_user, site_id, [:owner, :admin, :editor]) do
shared_link = Repo.get_by(Plausible.Site.SharedLink, site_id: site.id, name: link_name)

shared_link =
Expand Down Expand Up @@ -173,7 +173,7 @@ defmodule PlausibleWeb.Api.ExternalSitesController do
def find_or_create_goal(conn, params) do
with {:ok, site_id} <- expect_param_key(params, "site_id"),
{:ok, _} <- expect_param_key(params, "goal_type"),
{:ok, site} <- get_site(conn.assigns.current_user, site_id, [:owner, :admin]),
{:ok, site} <- get_site(conn.assigns.current_user, site_id, [:owner, :admin, :editor]),
{:ok, goal} <- Goals.find_or_create(site, params) do
json(conn, goal)
else
Expand All @@ -191,7 +191,7 @@ defmodule PlausibleWeb.Api.ExternalSitesController do
def delete_goal(conn, params) do
with {:ok, site_id} <- expect_param_key(params, "site_id"),
{:ok, goal_id} <- expect_param_key(params, "goal_id"),
{:ok, site} <- get_site(conn.assigns.current_user, site_id, [:owner, :admin]),
{:ok, site} <- get_site(conn.assigns.current_user, site_id, [:owner, :admin, :editor]),
:ok <- Goals.delete(goal_id, site) do
json(conn, %{"deleted" => true})
else
Expand Down
3 changes: 2 additions & 1 deletion extra/lib/plausible_web/live/funnel_settings.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ defmodule PlausibleWeb.Live.FunnelSettings do
Plausible.Sites.get_for_user!(current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])
end)
Expand Down Expand Up @@ -110,7 +111,7 @@ defmodule PlausibleWeb.Live.FunnelSettings do
Plausible.Sites.get_for_user!(
socket.assigns.current_user,
socket.assigns.domain,
[:owner, :admin]
[:owner, :admin, :editor]
)

id = String.to_integer(id)
Expand Down
1 change: 1 addition & 0 deletions extra/lib/plausible_web/live/funnel_settings/form.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ defmodule PlausibleWeb.Live.FunnelSettings.Form do
Plausible.Sites.get_for_user!(socket.assigns.current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])

Expand Down
15 changes: 2 additions & 13 deletions lib/plausible/sites.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -313,9 +313,7 @@ defmodule Plausible.Sites do
locked
end

def get_for_user!(user, domain, roles \\ [:owner, :admin, :viewer]) do
roles = translate_roles(roles)

def get_for_user!(user, domain, roles \\ [:owner, :admin, :editor, :viewer]) do
site =
if :super_admin in roles and Plausible.Auth.is_super_admin?(user.id) do
get_by_domain!(domain)
Expand All @@ -328,9 +326,7 @@ defmodule Plausible.Sites do
Repo.preload(site, :team)
end

def get_for_user(user, domain, roles \\ [:owner, :admin, :viewer]) do
roles = translate_roles(roles)

def get_for_user(user, domain, roles \\ [:owner, :admin, :editor, :viewer]) do
if :super_admin in roles and Plausible.Auth.is_super_admin?(user.id) do
get_by_domain(domain)
else
Expand All @@ -340,13 +336,6 @@ defmodule Plausible.Sites do
end
end

defp translate_roles(roles) do
Enum.map(roles, fn
:admin -> :editor
role -> role
end)
end

defp get_for_user_query(user_id, domain, roles) do
roles = Enum.map(roles, &to_string/1)

Expand Down
2 changes: 1 addition & 1 deletion lib/plausible_web/controllers/site/membership_controller.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ defmodule PlausibleWeb.Site.MembershipController do
This controller deals with user management via the UI in Site Settings -> People. It's important to enforce permissions in this controller.
Owner - Can manage users, can trigger a 'transfer ownership' request
Admin - Can manage users
Admin and Editor - Can manage users
Viewer - Can not access user management settings
Anyone - Can accept invitations
Expand Down
2 changes: 1 addition & 1 deletion lib/plausible_web/live/goal_settings.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ defmodule PlausibleWeb.Live.GoalSettings do
socket
|> assign_new(:site, fn %{current_user: current_user} ->
current_user
|> Plausible.Sites.get_for_user!(domain, [:owner, :admin, :super_admin])
|> Plausible.Sites.get_for_user!(domain, [:owner, :admin, :editor, :super_admin])
end)
|> assign_new(:all_goals, fn %{site: site} ->
Goals.for_site(site, preload_funnels?: true)
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/imports_exports_settings.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ defmodule PlausibleWeb.Live.ImportsExportsSettings do
Plausible.Sites.get_for_user!(current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])
end)
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/installation.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ defmodule PlausibleWeb.Live.Installation do
Plausible.Sites.get_for_user!(socket.assigns.current_user, domain, [
:owner,
:admin,
:editor,
:super_admin,
:viewer
])
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/plugins/api/settings.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ defmodule PlausibleWeb.Live.Plugins.API.Settings do
Plausible.Sites.get_for_user!(current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])
end)
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/plugins/api/token_form.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ defmodule PlausibleWeb.Live.Plugins.API.TokenForm do
Plausible.Sites.get_for_user!(current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])
end)
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/props_settings.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ defmodule PlausibleWeb.Live.PropsSettings do
Plausible.Sites.get_for_user!(current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])
end)
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/props_settings/form.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ defmodule PlausibleWeb.Live.PropsSettings.Form do
Plausible.Sites.get_for_user!(current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])
end)
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/shields/countries.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ defmodule PlausibleWeb.Live.Shields.Countries do
Plausible.Sites.get_for_user!(current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])
end)
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/shields/hostnames.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ defmodule PlausibleWeb.Live.Shields.Hostnames do
Plausible.Sites.get_for_user!(current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])
end)
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/shields/ip_addresses.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ defmodule PlausibleWeb.Live.Shields.IPAddresses do
Plausible.Sites.get_for_user!(current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])
end)
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/shields/pages.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ defmodule PlausibleWeb.Live.Shields.Pages do
Plausible.Sites.get_for_user!(current_user, domain, [
:owner,
:admin,
:editor,
:super_admin
])
end)
Expand Down
1 change: 1 addition & 0 deletions lib/plausible_web/live/verification.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ defmodule PlausibleWeb.Live.Verification do
Plausible.Sites.get_for_user!(socket.assigns.current_user, domain, [
:owner,
:admin,
:editor,
:super_admin,
:viewer
])
Expand Down

0 comments on commit c591d0f

Please sign in to comment.