From 2057fe083bb2988b819a9330905d3e8d118887e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carl-Gerhard=20Lindesva=CC=88rd?= <lindesvard@gmail.com>
Date: Thu, 14 Mar 2024 20:39:28 +0100
Subject: [PATCH] dashboard: ensure you only access what you have access to

---
 .../(app)/[organizationId]/[projectId]/layout.tsx | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/apps/dashboard/src/app/(app)/[organizationId]/[projectId]/layout.tsx b/apps/dashboard/src/app/(app)/[organizationId]/[projectId]/layout.tsx
index e1667260..c9c01477 100644
--- a/apps/dashboard/src/app/(app)/[organizationId]/[projectId]/layout.tsx
+++ b/apps/dashboard/src/app/(app)/[organizationId]/[projectId]/layout.tsx
@@ -1,7 +1,9 @@
+import { notFound } from 'next/navigation';
+
 import {
   getCurrentOrganizations,
-  getDashboardsByOrganization,
   getDashboardsByProjectId,
+  getProjectsByOrganizationSlug,
 } from '@openpanel/db';
 
 import { LayoutSidebar } from './layout-sidebar';
@@ -18,11 +20,20 @@ export default async function AppLayout({
   children,
   params: { organizationId, projectId },
 }: AppLayoutProps) {
-  const [organizations, dashboards] = await Promise.all([
+  const [organizations, projects, dashboards] = await Promise.all([
     getCurrentOrganizations(),
+    getProjectsByOrganizationSlug(organizationId),
     getDashboardsByProjectId(projectId),
   ]);
 
+  if (!organizations.find((item) => item.slug === organizationId)) {
+    return notFound();
+  }
+
+  if (!projects.find((item) => item.id === projectId)) {
+    return notFound();
+  }
+
   return (
     <div id="dashboard">
       <LayoutSidebar