budibase/packages/backend-core/src/security/permissions.ts

const { flatten } = require("lodash")
const { cloneDeep } = require("lodash/fp")

export type RoleHierarchy = {
  permissionId: string
}[]

export enum PermissionLevels {
  READ = "read",
  WRITE = "write",
  EXECUTE = "execute",
  ADMIN = "admin",
}

// these are the global types, that govern the underlying default behaviour
export enum PermissionTypes {
  APP = "app",
  TABLE = "table",
  USER = "user",
  AUTOMATION = "automation",
  WEBHOOK = "webhook",
  BUILDER = "builder",
  VIEW = "view",
  QUERY = "query",
}

class Permission {
  type: PermissionTypes
  level: PermissionLevels

  constructor(type: PermissionTypes, level: PermissionLevels) {
    this.type = type
    this.level = level
  }
}

function levelToNumber(perm: PermissionLevels) {
  switch (perm) {
    // not everything has execute privileges
    case PermissionLevels.EXECUTE:
      return 0
    case PermissionLevels.READ:
      return 1
    case PermissionLevels.WRITE:
      return 2
    case PermissionLevels.ADMIN:
      return 3
    default:
      return -1
  }
}

/**
 * Given the specified permission level for the user return the levels they are allowed to carry out.
 * @param {string} userPermLevel The permission level of the user.
 * @return {string[]} All the permission levels this user is allowed to carry out.
 */
function getAllowedLevels(userPermLevel: PermissionLevels) {
  switch (userPermLevel) {
    case PermissionLevels.EXECUTE:
      return [PermissionLevels.EXECUTE]
    case PermissionLevels.READ:
      return [PermissionLevels.EXECUTE, PermissionLevels.READ]
    case PermissionLevels.WRITE:
    case PermissionLevels.ADMIN:
      return [
        PermissionLevels.READ,
        PermissionLevels.WRITE,
        PermissionLevels.EXECUTE,
      ]
    default:
      return []
  }
}

export enum BUILTIN_PERMISSION_IDS {
  PUBLIC = "public",
  READ_ONLY = "read_only",
  WRITE = "write",
  ADMIN = "admin",
  POWER = "power",
}

const BUILTIN_PERMISSIONS = {
  PUBLIC: {
    _id: BUILTIN_PERMISSION_IDS.PUBLIC,
    name: "Public",
    permissions: [
      new Permission(PermissionTypes.WEBHOOK, PermissionLevels.EXECUTE),
    ],
  },
  READ_ONLY: {
    _id: BUILTIN_PERMISSION_IDS.READ_ONLY,
    name: "Read only",
    permissions: [
      new Permission(PermissionTypes.QUERY, PermissionLevels.READ),
      new Permission(PermissionTypes.TABLE, PermissionLevels.READ),
      new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
    ],
  },
  WRITE: {
    _id: BUILTIN_PERMISSION_IDS.WRITE,
    name: "Read/Write",
    permissions: [
      new Permission(PermissionTypes.QUERY, PermissionLevels.WRITE),
      new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE),
      new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
      new Permission(PermissionTypes.AUTOMATION, PermissionLevels.EXECUTE),
    ],
  },
  POWER: {
    _id: BUILTIN_PERMISSION_IDS.POWER,
    name: "Power",
    permissions: [
      new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE),
      new Permission(PermissionTypes.USER, PermissionLevels.READ),
      new Permission(PermissionTypes.AUTOMATION, PermissionLevels.EXECUTE),
      new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
      new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),
    ],
  },
  ADMIN: {
    _id: BUILTIN_PERMISSION_IDS.ADMIN,
    name: "Admin",
    permissions: [
      new Permission(PermissionTypes.TABLE, PermissionLevels.ADMIN),
      new Permission(PermissionTypes.USER, PermissionLevels.ADMIN),
      new Permission(PermissionTypes.AUTOMATION, PermissionLevels.ADMIN),
      new Permission(PermissionTypes.VIEW, PermissionLevels.ADMIN),
      new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),
      new Permission(PermissionTypes.QUERY, PermissionLevels.ADMIN),
    ],
  },
}

export function getBuiltinPermissions() {
  return cloneDeep(BUILTIN_PERMISSIONS)
}

export function getBuiltinPermissionByID(id: string) {
  const perms = Object.values(BUILTIN_PERMISSIONS)
  return perms.find(perm => perm._id === id)
}

export function doesHaveBasePermission(
  permType: PermissionTypes,
  permLevel: PermissionLevels,
  rolesHierarchy: RoleHierarchy
) {
  const basePermissions = [
    ...new Set(rolesHierarchy.map(role => role.permissionId)),
  ]
  const builtins = Object.values(BUILTIN_PERMISSIONS)
  let permissions = flatten(
    builtins
      .filter(builtin => basePermissions.indexOf(builtin._id) !== -1)
      .map(builtin => builtin.permissions)
  )
  for (let permission of permissions) {
    if (
      permission.type === permType &&
      getAllowedLevels(permission.level).indexOf(permLevel) !== -1
    ) {
      return true
    }
  }
  return false
}

export function isPermissionLevelHigherThanRead(level: PermissionLevels) {
  return levelToNumber(level) > 1
}

// utility as a lot of things need simply the builder permission
export const BUILDER = PermissionTypes.BUILDER
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`const { flatten } = require("lodash")`
Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-12 21:34:54 +01:00			`const { cloneDeep } = require("lodash/fp")`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00
Fixing permission types. 2022-11-17 15:47:52 +01:00			`export type RoleHierarchy = {`
			`permissionId: string`
			`}[]`

			`export enum PermissionLevels {`
			`READ = "read",`
			`WRITE = "write",`
			`EXECUTE = "execute",`
			`ADMIN = "admin",`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`}`

Initial work towards rbac. 2021-02-05 16:58:25 +01:00			`// these are the global types, that govern the underlying default behaviour`
Fixing permission types. 2022-11-17 15:47:52 +01:00			`export enum PermissionTypes {`
			`APP = "app",`
			`TABLE = "table",`
			`USER = "user",`
			`AUTOMATION = "automation",`
			`WEBHOOK = "webhook",`
			`BUILDER = "builder",`
			`VIEW = "view",`
			`QUERY = "query",`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`}`

Fixing permission types. 2022-11-17 15:47:52 +01:00			`class Permission {`
			`type: PermissionTypes`
			`level: PermissionLevels`

			`constructor(type: PermissionTypes, level: PermissionLevels) {`
			`this.type = type`
			`this.level = level`
			`}`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`}`

Fixing permission types. 2022-11-17 15:47:52 +01:00			`function levelToNumber(perm: PermissionLevels) {`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-11 14:29:15 +01:00			`switch (perm) {`
			`// not everything has execute privileges`
			`case PermissionLevels.EXECUTE:`
			`return 0`
			`case PermissionLevels.READ:`
			`return 1`
			`case PermissionLevels.WRITE:`
			`return 2`
			`case PermissionLevels.ADMIN:`
			`return 3`
			`default:`
			`return -1`
			`}`
			`}`

WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`/**`
			`* Given the specified permission level for the user return the levels they are allowed to carry out.`
			`* @param {string} userPermLevel The permission level of the user.`
			`* @return {string[]} All the permission levels this user is allowed to carry out.`
			`*/`
Fixing permission types. 2022-11-17 15:47:52 +01:00			`function getAllowedLevels(userPermLevel: PermissionLevels) {`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`switch (userPermLevel) {`
			`case PermissionLevels.EXECUTE:`
			`return [PermissionLevels.EXECUTE]`
Adding in resource IDs everywhere they should be accessible. 2021-02-08 18:22:07 +01:00			`case PermissionLevels.READ:`
			`return [PermissionLevels.EXECUTE, PermissionLevels.READ]`
			`case PermissionLevels.WRITE:`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`case PermissionLevels.ADMIN:`
			`return [`
			`PermissionLevels.READ,`
			`PermissionLevels.WRITE,`
			`PermissionLevels.EXECUTE,`
			`]`
			`default:`
			`return []`
			`}`
			`}`

Fixing permission types. 2022-11-17 15:47:52 +01:00			`export enum BUILTIN_PERMISSION_IDS {`
			`PUBLIC = "public",`
			`READ_ONLY = "read_only",`
			`WRITE = "write",`
			`ADMIN = "admin",`
			`POWER = "power",`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`}`

Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-12 21:34:54 +01:00			`const BUILTIN_PERMISSIONS = {`
Flipping RBAC implementation to use levels -> role for resource perms API and resource -> level -> role for full fetch (please note full fetch will only work for resources that have a custom permission in the system somewhere, everything else simply defaults to standard. 2021-02-11 19:13:09 +01:00			`PUBLIC: {`
Fixing permission types. 2022-11-17 15:47:52 +01:00			`_id: BUILTIN_PERMISSION_IDS.PUBLIC,`
Flipping RBAC implementation to use levels -> role for resource perms API and resource -> level -> role for full fetch (please note full fetch will only work for resources that have a custom permission in the system somewhere, everything else simply defaults to standard. 2021-02-11 19:13:09 +01:00			`name: "Public",`
			`permissions: [`
Linting. 2021-02-12 10:55:37 +01:00			`new Permission(PermissionTypes.WEBHOOK, PermissionLevels.EXECUTE),`
Flipping RBAC implementation to use levels -> role for resource perms API and resource -> level -> role for full fetch (please note full fetch will only work for resources that have a custom permission in the system somewhere, everything else simply defaults to standard. 2021-02-11 19:13:09 +01:00			`],`
			`},`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`READ_ONLY: {`
Fixing permission types. 2022-11-17 15:47:52 +01:00			`_id: BUILTIN_PERMISSION_IDS.READ_ONLY,`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-02 18:08:25 +01:00			`name: "Read only",`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`permissions: [`
type safe schema validation 2021-01-11 22:01:21 +01:00			`new Permission(PermissionTypes.QUERY, PermissionLevels.READ),`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`new Permission(PermissionTypes.TABLE, PermissionLevels.READ),`
			`new Permission(PermissionTypes.VIEW, PermissionLevels.READ),`
			`],`
			`},`
			`WRITE: {`
Fixing permission types. 2022-11-17 15:47:52 +01:00			`_id: BUILTIN_PERMISSION_IDS.WRITE,`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-02 18:08:25 +01:00			`name: "Read/Write",`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`permissions: [`
type safe schema validation 2021-01-11 22:01:21 +01:00			`new Permission(PermissionTypes.QUERY, PermissionLevels.WRITE),`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE),`
			`new Permission(PermissionTypes.VIEW, PermissionLevels.READ),`
Add execute automation to basic user / write permission set 2022-05-12 18:35:31 +02:00			`new Permission(PermissionTypes.AUTOMATION, PermissionLevels.EXECUTE),`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`],`
			`},`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`POWER: {`
Fixing permission types. 2022-11-17 15:47:52 +01:00			`_id: BUILTIN_PERMISSION_IDS.POWER,`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-02 18:08:25 +01:00			`name: "Power",`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`permissions: [`
			`new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE),`
			`new Permission(PermissionTypes.USER, PermissionLevels.READ),`
			`new Permission(PermissionTypes.AUTOMATION, PermissionLevels.EXECUTE),`
			`new Permission(PermissionTypes.VIEW, PermissionLevels.READ),`
			`new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),`
			`],`
			`},`
			`ADMIN: {`
Fixing permission types. 2022-11-17 15:47:52 +01:00			`_id: BUILTIN_PERMISSION_IDS.ADMIN,`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-02 18:08:25 +01:00			`name: "Admin",`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`permissions: [`
			`new Permission(PermissionTypes.TABLE, PermissionLevels.ADMIN),`
			`new Permission(PermissionTypes.USER, PermissionLevels.ADMIN),`
			`new Permission(PermissionTypes.AUTOMATION, PermissionLevels.ADMIN),`
			`new Permission(PermissionTypes.VIEW, PermissionLevels.ADMIN),`
			`new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),`
type safe schema validation 2021-01-11 22:01:21 +01:00			`new Permission(PermissionTypes.QUERY, PermissionLevels.ADMIN),`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`],`
			`},`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`}`

Fixing permission types. 2022-11-17 15:47:52 +01:00			`export function getBuiltinPermissions() {`
Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-12 21:34:54 +01:00			`return cloneDeep(BUILTIN_PERMISSIONS)`
			`}`

Fixing permission types. 2022-11-17 15:47:52 +01:00			`export function getBuiltinPermissionByID(id: string) {`
Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-12 21:34:54 +01:00			`const perms = Object.values(BUILTIN_PERMISSIONS)`
Add explicit prettier options 2021-05-04 12:32:22 +02:00			`return perms.find(perm => perm._id === id)`
WIP - storing progress on RBAC changes. 2021-02-11 11:24:37 +01:00			`}`

Fixing permission types. 2022-11-17 15:47:52 +01:00			`export function doesHaveBasePermission(`
			`permType: PermissionTypes,`
			`permLevel: PermissionLevels,`
			`rolesHierarchy: RoleHierarchy`
			`) {`
Fixing an issue discovered in #3385 - RBAC roles worked for applying lower levels of roles, but they didn't revoke access correctly, it would always fallback to the base permissions if higher permissions were set. 2021-11-15 14:48:26 +01:00			`const basePermissions = [`
			`...new Set(rolesHierarchy.map(role => role.permissionId)),`
			`]`
Fixing an issue with RBAC, there was a mutable issue where a server builtin resource was getting updated, fixed this by not exposing the mutable structure, instead exposing a function which provides a new object everytime. 2021-02-12 21:34:54 +01:00			`const builtins = Object.values(BUILTIN_PERMISSIONS)`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`let permissions = flatten(`
			`builtins`
Fixing an issue discovered in #3385 - RBAC roles worked for applying lower levels of roles, but they didn't revoke access correctly, it would always fallback to the base permissions if higher permissions were set. 2021-11-15 14:48:26 +01:00			`.filter(builtin => basePermissions.indexOf(builtin._id) !== -1)`
Add explicit prettier options 2021-05-04 12:32:22 +02:00			`.map(builtin => builtin.permissions)`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`)`
			`for (let permission of permissions) {`
			`if (`
			`permission.type === permType &&`
			`getAllowedLevels(permission.level).indexOf(permLevel) !== -1`
			`) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

Fixing permission types. 2022-11-17 15:47:52 +01:00			`export function isPermissionLevelHigherThanRead(level: PermissionLevels) {`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-11 14:29:15 +01:00			`return levelToNumber(level) > 1`
Adding in resource IDs everywhere they should be accessible. 2021-02-08 18:22:07 +01:00			`}`

WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`// utility as a lot of things need simply the builder permission`
Fixing permission types. 2022-11-17 15:47:52 +01:00			`export const BUILDER = PermissionTypes.BUILDER`