Fix security issue (vercel#54)

Fixed a security issue where a user can edit another user's site/posts
kempsterrrr · Feb 6, 2022 · 6b3e2d4 · 6b3e2d4
1 parent 67af585
commit 6b3e2d4
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 14 deletions.
diff --git a/pages/api/post.js b/pages/api/post.js
@@ -14,9 +14,14 @@ export default async function post(req, res) {
       const { postId, siteId, published } = req.query;
       if (postId) {
         // get individual post
-        const post = await prisma.post.findUnique({
+        const post = await prisma.post.findFirst({
           where: {
             id: postId,
+            site: {
+              user: {
+                id: session.user.id,
+              },
+            },
           },
           include: {
             site: true,
@@ -25,22 +30,27 @@ export default async function post(req, res) {
         res.status(200).json(post);
       } else {
         // get all posts
-        const posts = await prisma.post.findMany({
-          where: {
-            site: {
-              id: siteId,
-            },
-            published: JSON.parse(published),
-          },
-          orderBy: {
-            createdAt: "desc",
-          },
-        });
         const site = await prisma.site.findFirst({
           where: {
             id: siteId,
+            user: {
+              id: session.user.id,
+            },
           },
         });
+        const posts = !site
+          ? []
+          : await prisma.post.findMany({
+              where: {
+                site: {
+                  id: siteId,
+                },
+                published: JSON.parse(published),
+              },
+              orderBy: {
+                createdAt: "desc",
+              },
+            });
         res.status(200).json({ posts, site });
       }
       return;

diff --git a/pages/api/site.js b/pages/api/site.js
@@ -11,13 +11,16 @@ export default async function site(req, res) {
 
   switch (req.method) {
     case "GET": {
-      const { sessionId, siteId } = req.query;
+      const { siteId } = req.query;
       if (siteId) {
         // get individual site
         const { siteId } = req.query;
-        const settings = await prisma.site.findUnique({
+        const settings = await prisma.site.findFirst({
           where: {
             id: siteId,
+            user: {
+              id: session.user.id,
+            },
           },
         });
         res.status(200).json(settings);