Per-channel analytics should require auth, fixes #287

AmbireTech · Jun 12, 2020 · 427b897 · 427b897
1 parent 47354f4
commit 427b897
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/routes/analytics.js b/routes/analytics.js
@@ -27,7 +27,7 @@ router.get('/for-advertiser', validate, authRequired, notCached(advertiserAnalyt
 router.get('/advanced', validate, authRequired, notCached(advancedAnalytics))
 
 // :id is channelId: needs to be named that way cause of channelIfExists
-router.get('/:id', validate, channelIfExists, redisCached(600, analytics))
+router.get('/:id', validate, authRequired, channelAdvertiserIfExists, redisCached(600, analytics))
 router.get('/for-publisher/:id', validate, authRequired, channelIfExists, notCached(analytics))
 
 const MAX_LIMIT = 500
@@ -156,6 +156,21 @@ function getAdvertiserChannels(req) {
 	return advChannels
 }
 
+function channelAdvertiserIfExists(req, res, next) {
+	const channelsCol = db.getMongo().collection('channels')
+	const uid = req.session.uid
+	channelsCol
+		.countDocuments({ _id: req.params.id, creator: uid }, { limit: 1 })
+		.then(function(n) {
+			if (!n) {
+				res.status(403).json(null)
+			} else {
+				next()
+			}
+		})
+		.catch(next)
+}
+
 function redisCached(seconds, fn) {
 	return function(req, res, next) {
 		const key = `CACHE:${req.originalUrl}`