budibase/packages/server/src/middleware/authorized.ts

133 lines
3.8 KiB
TypeScript
Raw Normal View History

import {
getUserRoleHierarchy,
getRequiredResourceRole,
BUILTIN_ROLE_IDS,
} from "@budibase/backend-core/roles"
const {
2022-11-17 15:59:18 +01:00
PermissionType,
PermissionLevel,
doesHaveBasePermission,
} = require("@budibase/backend-core/permissions")
const builderMiddleware = require("./builder")
const { isWebhookEndpoint } = require("./utils")
2022-01-25 23:54:50 +01:00
const { buildCsrfMiddleware } = require("@budibase/backend-core/auth")
const { getAppId } = require("@budibase/backend-core/context")
function hasResource(ctx: any) {
return ctx.resourceId != null
}
2022-01-25 23:54:50 +01:00
const csrf = buildCsrfMiddleware()
/**
* Apply authorization to the requested resource:
* - If this is a builder resource the user must be a builder.
* - Builders can access all resources.
* - Otherwise the user must have the required role.
*/
const checkAuthorized = async (
ctx: any,
resourceRoles: any,
permType: any,
permLevel: any
) => {
2022-01-25 23:54:50 +01:00
// check if this is a builder api and the user is not a builder
const isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global
2022-11-17 15:59:18 +01:00
const isBuilderApi = permType === PermissionType.BUILDER
2022-01-25 23:54:50 +01:00
if (isBuilderApi && !isBuilder) {
return ctx.throw(403, "Not Authorized")
}
// check for resource authorization
if (!isBuilder) {
await checkAuthorizedResource(ctx, resourceRoles, permType, permLevel)
}
}
const checkAuthorizedResource = async (
ctx: any,
resourceRoles: any,
permType: any,
permLevel: any
2022-01-25 23:54:50 +01:00
) => {
// get the user's roles
const roleId = ctx.roleId || BUILTIN_ROLE_IDS.PUBLIC
const userRoles = (await getUserRoleHierarchy(roleId, {
2022-01-25 23:54:50 +01:00
idOnly: false,
})) as { _id: string }[]
2022-01-25 23:54:50 +01:00
const permError = "User does not have permission"
// check if the user has the required role
if (resourceRoles.length > 0) {
// deny access if the user doesn't have the required resource role
const found = userRoles.find(
(role: any) => resourceRoles.indexOf(role._id) !== -1
)
2022-01-25 23:54:50 +01:00
if (!found) {
ctx.throw(403, permError)
}
// fallback to the base permissions when no resource roles are found
} else if (!doesHaveBasePermission(permType, permLevel, userRoles)) {
ctx.throw(403, permError)
}
}
export = (permType: any, permLevel: any = null, opts = { schema: false }) =>
async (ctx: any, next: any) => {
2021-06-15 20:39:40 +02:00
// webhooks don't need authentication, each webhook unique
// also internal requests (between services) don't need authorized
if (isWebhookEndpoint(ctx) || ctx.internal) {
2021-06-15 20:39:40 +02:00
return next()
}
2020-10-12 12:57:37 +02:00
2021-06-15 20:39:40 +02:00
if (!ctx.user) {
return ctx.throw(403, "No user info found")
}
2020-06-18 17:59:31 +02:00
2021-06-15 20:39:40 +02:00
// check general builder stuff, this middleware is a good way
// to find API endpoints which are builder focused
await builderMiddleware(ctx, permType)
2020-05-27 18:23:01 +02:00
2022-01-25 23:54:50 +01:00
// get the resource roles
2022-04-13 22:13:01 +02:00
let resourceRoles: any = []
let otherLevelRoles: any = []
const otherLevel =
2022-11-17 15:59:18 +01:00
permLevel === PermissionLevel.READ
? PermissionLevel.WRITE
: PermissionLevel.READ
const appId = getAppId()
if (appId && hasResource(ctx)) {
resourceRoles = await getRequiredResourceRole(permLevel, ctx)
if (opts && opts.schema) {
otherLevelRoles = await getRequiredResourceRole(otherLevel, ctx)
}
2021-06-15 20:39:40 +02:00
}
2022-01-25 23:54:50 +01:00
// if the resource is public, proceed
if (
resourceRoles.includes(BUILTIN_ROLE_IDS.PUBLIC) ||
(otherLevelRoles && otherLevelRoles.includes(BUILTIN_ROLE_IDS.PUBLIC))
) {
2022-01-25 23:54:50 +01:00
return next()
2021-06-15 20:39:40 +02:00
}
2020-05-27 18:23:01 +02:00
2022-01-25 23:54:50 +01:00
// check authenticated
if (!ctx.isAuthenticated) {
return ctx.throw(403, "Session not authenticated")
2021-06-15 20:39:40 +02:00
}
try {
// check authorized
await checkAuthorized(ctx, resourceRoles, permType, permLevel)
} catch (err) {
// this is a schema, check if
if (opts && opts.schema && permLevel) {
await checkAuthorized(ctx, otherLevelRoles, permType, otherLevel)
} else {
throw err
}
}
2022-01-25 23:54:50 +01:00
// csrf protection
return csrf(ctx, next)
2021-06-15 20:39:40 +02:00
}