fix access controls

author: Dhravya <[email protected]> 2024-07-01 21:04:31 -0500
committer: Dhravya <[email protected]> 2024-07-01 21:04:31 -0500
commit: 39a62e783cffcdc996ecd2b592cc6ee58249b7f8 (patch)
tree: 252c771a7d968655eb43d51c1df97f2e005bed07
parent: shareable spaces (diff)
download: supermemory-39a62e783cffcdc996ecd2b592cc6ee58249b7f8.tar.xz
supermemory-39a62e783cffcdc996ecd2b592cc6ee58249b7f8.zip
2 files changed, 49 insertions, 25 deletions
diff --git a/apps/web/app/(dash)/(memories)/space/[spaceid]/page.tsx b/apps/web/app/(dash)/(memories)/space/[spaceid]/page.tsx
index 759519cb..99999f8b 100644
--- a/apps/web/app/(dash)/(memories)/space/[spaceid]/page.tsx
+++ b/apps/web/app/(dash)/(memories)/space/[spaceid]/page.tsx
@@ -4,15 +4,23 @@ import MemoriesPage from "../../content";
 import { db } from "@/server/db";
 import { and, eq } from "drizzle-orm";
 import { spacesAccess } from "@/server/db/schema";
+import { auth } from "@/server/auth";
 
 async function Page({ params: { spaceid } }: { params: { spaceid: number } }) {
-  const { success, data } = await getMemoriesInsideSpace(spaceid);
-  if (!success ?? !data) return redirect("/home");
+  const user = await auth();
 
   const hasAccess = await db.query.spacesAccess.findMany({
-    where: and(eq(spacesAccess.spaceId, spaceid)),
+    where: and(
+      eq(spacesAccess.spaceId, spaceid),
+      eq(spacesAccess.userEmail, user?.user!.email!),
+    ),
   });
 
+  if (!hasAccess) return redirect("/home");
+
+  const { success, data } = await getMemoriesInsideSpace(spaceid);
+  if (!success ?? !data) return redirect("/home");
+
   return (
     <MemoriesPage
       memoriesAndSpaces={{ memories: data.memories, spaces: [] }}
diff --git a/apps/web/app/actions/fetchers.ts b/apps/web/app/actions/fetchers.ts
index 1541e4ee..f21a942d 100644
--- a/apps/web/app/actions/fetchers.ts
+++ b/apps/web/app/actions/fetchers.ts
@@ -1,6 +1,6 @@
 "use server";
 
-import { and, asc, eq, inArray, not, or, sql } from "drizzle-orm";
+import { and, asc, eq, exists, inArray, not, or, sql } from "drizzle-orm";
 import { db } from "../../server/db";
 import {
   canvas,
@@ -82,46 +82,62 @@ export const getMemoriesInsideSpace = async (
 ): ServerActionReturnType<{ memories: Content[]; spaces: StoredSpace[] }> => {
   const data = await auth();
 
-  if (!data || !data.user) {
-    redirect("/signin");
+  if (!data || !data.user || !data.user.email) {
     return { error: "Not authenticated", success: false };
   }
 
-  const memories = await db
+  const spaces = await db
     .select()
-    .from(storedContent)
+    .from(space)
     .where(
       and(
-        inArray(
-          storedContent.id,
-          db
-            .select({ contentId: contentToSpace.contentId })
-            .from(contentToSpace)
-            .where(eq(contentToSpace.spaceId, spaceId)),
-        ),
+        eq(space.id, spaceId),
         or(
-          eq(storedContent.userId, data.user.id!),
-          eq(
+          eq(space.user, data.user.id!),
+          exists(
             db
-              .select({ userId: spacesAccess.userEmail })
+              .select()
               .from(spacesAccess)
-              .where(eq(spacesAccess.spaceId, spaceId)),
-            data.user.email,
+              .where(
+                and(
+                  eq(spacesAccess.spaceId, space.id),
+                  eq(spacesAccess.userEmail, data.user.email),
+                ),
+              ),
           ),
         ),
       ),
     )
-    .execute();
+    .limit(1);
 
-  const queriedSpace = await db.query.space.findFirst({
-    where: and(eq(users, data.user.id), eq(space.id, spaceId)),
-  });
+  const memories = await db
+    .select({
+      id: storedContent.id,
+      content: storedContent.content,
+      title: storedContent.title,
+      description: storedContent.description,
+      url: storedContent.url,
+      savedAt: storedContent.savedAt,
+      baseUrl: storedContent.baseUrl,
+      ogImage: storedContent.ogImage,
+      type: storedContent.type,
+      image: storedContent.image,
+      userId: storedContent.userId,
+      noteId: storedContent.noteId,
+    })
+    .from(storedContent)
+    .innerJoin(contentToSpace, eq(storedContent.id, contentToSpace.contentId))
+    .where(eq(contentToSpace.spaceId, spaceId));
+
+  if (spaces.length === 0) {
+    return { error: "Not authorized", success: false };
+  }
 
   return {
     success: true,
     data: {
       memories: memories,
-      spaces: queriedSpace ? [queriedSpace] : [],
+      spaces: spaces,
     },
   };
 };
author	Dhravya <[email protected]>	2024-07-01 21:04:31 -0500
committer	Dhravya <[email protected]>	2024-07-01 21:04:31 -0500
commit	39a62e783cffcdc996ecd2b592cc6ee58249b7f8 (patch)
tree	252c771a7d968655eb43d51c1df97f2e005bed07
parent	shareable spaces (diff)
download	supermemory-39a62e783cffcdc996ecd2b592cc6ee58249b7f8.tar.xz supermemory-39a62e783cffcdc996ecd2b592cc6ee58249b7f8.zip