fix: metrics admin only (#863)

2025-12-12 07:40:45 -08:00 · 2025-08-25 14:36:49 -07:00
parent 24ad601e2a
commit f75020b115
3 changed files with 28 additions and 0 deletions
--- a/src/client/pages/dashboard/metrics.tsx
+++ b/src/client/pages/dashboard/metrics.tsx
@@ -1,5 +1,23 @@
 import DashboardMetrics from '@/components/pages/metrics';
 import { useTitle } from '@/lib/hooks/useTitle';
+import { isAdministrator } from '@/lib/role';
+import { redirect } from 'react-router-dom';
+
+export async function loader() {
+  const configRes = await fetch('/api/server/public');
+  if (!configRes.ok) throw new Error('Failed to get public configuration');
+
+  const config = await configRes.json();
+  if (config.features.metrics?.adminOnly) {
+    const res = await fetch('/api/user');
+    if (!res.ok) return redirect('/auth/login');
+
+    const { user } = await res.json();
+    if (!isAdministrator(user.role)) return redirect('/dashboard');
+  }
+
+  return {};
+}

 export function Component() {
  useTitle('Metrics');
--- a/src/server/routes/api/server/public.ts
+++ b/src/server/routes/api/server/public.ts
@@ -26,6 +26,9 @@ export type ApiServerPublicResponse = {
  features: {
    oauthRegistration: boolean;
    userRegistration: boolean;
+    metrics?: {
+      adminOnly?: boolean;
+    };
  };
  mfa: {
    passkeys: boolean;
@@ -78,6 +81,10 @@ export default fastifyPlugin(
        domains: config.domains,
      };

+      if (config.features.metrics.adminOnly) {
+        response.features.metrics = { adminOnly: true };
+      }
+
      if (config.website.tos) {
        try {
          if (tosCache === null) {
--- a/src/server/routes/api/stats.ts
+++ b/src/server/routes/api/stats.ts
@@ -1,6 +1,7 @@
 import { config } from '@/lib/config';
 import { prisma } from '@/lib/db';
 import { Metric } from '@/lib/db/models/metric';
+import { isAdministrator } from '@/lib/role';
 import { userMiddleware } from '@/server/middleware/user';
 import fastifyPlugin from 'fastify-plugin';

@@ -18,6 +19,8 @@ export default fastifyPlugin(
    server.get<{ Querystring: Query }>(PATH, { preHandler: [userMiddleware] }, async (req, res) => {
      if (!config.features.metrics) return res.forbidden('metrics are disabled');

+      if (config.features.metrics.adminOnly && !isAdministrator(req.user.role)) return res.forbidden('admin only');
+
      const { from, to, all } = req.query;

      const fromDate = from ? new Date(from) : new Date(Date.now() - 86400000 * 7); // defaults to a week ago