budibase/packages/server/src/api/controllers/public/users.ts

import {
  allGlobalUsers,
  deleteGlobalUser,
  readGlobalUser,
  saveGlobalUser,
} from "../../../utilities/workerRequests"
import { publicApiUserFix } from "../../../utilities/users"
import { db as dbCore } from "@budibase/backend-core"
import { search as stringSearch } from "./utils"
import { UserCtx, User } from "@budibase/types"
import { Next } from "koa"
import { sdk } from "@budibase/pro"
import { isEqual, cloneDeep } from "lodash"

function rolesRemoved(base: User, ctx: UserCtx) {
  return (
    !isEqual(base.builder, ctx.request.body.builder) ||
    !isEqual(base.admin, ctx.request.body.admin) ||
    !isEqual(base.roles, ctx.request.body.roles)
  )
}

const NO_ROLES_MSG =
  "Roles/admin/builder can only be set on business/enterprise licenses - input ignored."

async function createUpdateResponse(ctx: UserCtx, user?: User) {
  const base = cloneDeep(ctx.request.body)
  ctx = await sdk.publicApi.users.roleCheck(ctx, user)
  // check the ctx before any updates to it
  const removed = rolesRemoved(base, ctx)
  ctx = publicApiUserFix(ctx)
  const response = await saveGlobalUser(ctx)
  ctx.body = await getUser(ctx, response._id)
  if (removed) {
    ctx.extra = { message: NO_ROLES_MSG }
  }
  return ctx
}

function isLoggedInUser(ctx: UserCtx, user: User) {
  const loggedInId = ctx.user?._id
  const globalUserId = dbCore.getGlobalIDFromUserMetadataID(loggedInId!)
  // check both just incase
  return globalUserId === user._id || loggedInId === user._id
}

function getUser(ctx: UserCtx, userId?: string) {
  if (userId) {
    ctx.params = { userId }
  } else if (!ctx.params?.userId) {
    throw "No user ID provided for getting"
  }
  return readGlobalUser(ctx)
}

export async function search(ctx: UserCtx, next: Next) {
  const { name } = ctx.request.body
  const users = await allGlobalUsers(ctx)
  ctx.body = stringSearch(users, name, "email")
  await next()
}

export async function create(ctx: UserCtx, next: Next) {
  await createUpdateResponse(ctx)
  await next()
}

export async function read(ctx: UserCtx, next: Next) {
  ctx.body = await readGlobalUser(ctx)
  await next()
}

export async function update(ctx: UserCtx, next: Next) {
  const user = await readGlobalUser(ctx)
  ctx.request.body = {
    ...ctx.request.body,
    _rev: user._rev,
  }
  await createUpdateResponse(ctx, user)
  await next()
}

export async function destroy(ctx: UserCtx, next: Next) {
  const user = await getUser(ctx)
  // disallow deleting yourself
  if (isLoggedInUser(ctx, user)) {
    ctx.throw(405, "Cannot delete user using its own API key.")
  }
  await deleteGlobalUser(ctx)
  ctx.body = user
  await next()
}

export default {
  create,
  read,
  update,
  destroy,
  search,
}
Users implementation added. 2022-02-25 20:00:12 +01:00			`import {`
			`allGlobalUsers,`
Updating summaries, adding descriptions, wrapping responses with generic wrapper 'data'. 2022-03-01 15:37:35 +01:00			`deleteGlobalUser,`
Users implementation added. 2022-02-25 20:00:12 +01:00			`readGlobalUser,`
			`saveGlobalUser,`
			`} from "../../../utilities/workerRequests"`
Improving performance of load script, can generate thousands of users a second. 2022-05-22 19:29:02 +02:00			`import { publicApiUserFix } from "../../../utilities/users"`
Fix for #7732 - as well as some tests for it, make sure that it is working as expected. 2022-12-06 18:20:26 +01:00			`import { db as dbCore } from "@budibase/backend-core"`
Adding new generation technique, converting openAPI spec to typescript definitions, which are then applied in mapping output middlewares to make sure that the structures of the response are fully respected. 2022-03-01 19:35:08 +01:00			`import { search as stringSearch } from "./utils"`
Removing the ability to set roles, builder and admin structure through basic public API. 2023-08-04 16:43:02 +02:00			`import { UserCtx, User } from "@budibase/types"`
			`import { Next } from "koa"`
Adding pro integration. 2023-08-15 15:19:36 +02:00			`import { sdk } from "@budibase/pro"`
Adding message to let user know why roles have been ignored, as well as adding test case for this. 2023-09-20 13:13:10 +02:00			`import { isEqual, cloneDeep } from "lodash"`

			`function rolesRemoved(base: User, ctx: UserCtx) {`
			`return (`
			`!isEqual(base.builder, ctx.request.body.builder) \|\|`
			`!isEqual(base.admin, ctx.request.body.admin) \|\|`
			`!isEqual(base.roles, ctx.request.body.roles)`
			`)`
			`}`

			`const NO_ROLES_MSG =`
			`"Roles/admin/builder can only be set on business/enterprise licenses - input ignored."`

			`async function createUpdateResponse(ctx: UserCtx, user?: User) {`
			`const base = cloneDeep(ctx.request.body)`
			`ctx = await sdk.publicApi.users.roleCheck(ctx, user)`
			`// check the ctx before any updates to it`
			`const removed = rolesRemoved(base, ctx)`
			`ctx = publicApiUserFix(ctx)`
			`const response = await saveGlobalUser(ctx)`
			`ctx.body = await getUser(ctx, response._id)`
			`if (removed) {`
			`ctx.extra = { message: NO_ROLES_MSG }`
			`}`
			`return ctx`
			`}`
Removing the ability to set roles, builder and admin structure through basic public API. 2023-08-04 16:43:02 +02:00
			`function isLoggedInUser(ctx: UserCtx, user: User) {`
Fix for #7732 - as well as some tests for it, make sure that it is working as expected. 2022-12-06 18:20:26 +01:00			`const loggedInId = ctx.user?._id`
Fix for CI build failure. 2022-12-06 19:23:55 +01:00			`const globalUserId = dbCore.getGlobalIDFromUserMetadataID(loggedInId!)`
Fix for #7732 - as well as some tests for it, make sure that it is working as expected. 2022-12-06 18:20:26 +01:00			`// check both just incase`
			`return globalUserId === user._id \|\| loggedInId === user._id`
			`}`

Removing the ability to set roles, builder and admin structure through basic public API. 2023-08-04 16:43:02 +02:00			`function getUser(ctx: UserCtx, userId?: string) {`
Users implementation added. 2022-02-25 20:00:12 +01:00			`if (userId) {`
Adding test cases for user implementation with mocks. 2022-02-25 20:01:17 +01:00			`ctx.params = { userId }`
Users implementation added. 2022-02-25 20:00:12 +01:00			`} else if (!ctx.params?.userId) {`
			`throw "No user ID provided for getting"`
			`}`
			`return readGlobalUser(ctx)`
			`}`

Removing the ability to set roles, builder and admin structure through basic public API. 2023-08-04 16:43:02 +02:00			`export async function search(ctx: UserCtx, next: Next) {`
Updating summaries, adding descriptions, wrapping responses with generic wrapper 'data'. 2022-03-01 15:37:35 +01:00			`const { name } = ctx.request.body`
			`const users = await allGlobalUsers(ctx)`
			`ctx.body = stringSearch(users, name, "email")`
Adding new generation technique, converting openAPI spec to typescript definitions, which are then applied in mapping output middlewares to make sure that the structures of the response are fully respected. 2022-03-01 19:35:08 +01:00			`await next()`
Users implementation added. 2022-02-25 20:00:12 +01:00			`}`
Refactoring to TS on public endpoints. 2022-02-24 16:13:14 +01:00
Removing the ability to set roles, builder and admin structure through basic public API. 2023-08-04 16:43:02 +02:00			`export async function create(ctx: UserCtx, next: Next) {`
Adding message to let user know why roles have been ignored, as well as adding test case for this. 2023-09-20 13:13:10 +02:00			`await createUpdateResponse(ctx)`
Adding new generation technique, converting openAPI spec to typescript definitions, which are then applied in mapping output middlewares to make sure that the structures of the response are fully respected. 2022-03-01 19:35:08 +01:00			`await next()`
Users implementation added. 2022-02-25 20:00:12 +01:00			`}`
Refactoring to TS on public endpoints. 2022-02-24 16:13:14 +01:00
Removing the ability to set roles, builder and admin structure through basic public API. 2023-08-04 16:43:02 +02:00			`export async function read(ctx: UserCtx, next: Next) {`
Updating summaries, adding descriptions, wrapping responses with generic wrapper 'data'. 2022-03-01 15:37:35 +01:00			`ctx.body = await readGlobalUser(ctx)`
Adding new generation technique, converting openAPI spec to typescript definitions, which are then applied in mapping output middlewares to make sure that the structures of the response are fully respected. 2022-03-01 19:35:08 +01:00			`await next()`
Users implementation added. 2022-02-25 20:00:12 +01:00			`}`
Refactoring to TS on public endpoints. 2022-02-24 16:13:14 +01:00
Removing the ability to set roles, builder and admin structure through basic public API. 2023-08-04 16:43:02 +02:00			`export async function update(ctx: UserCtx, next: Next) {`
Users implementation added. 2022-02-25 20:00:12 +01:00			`const user = await readGlobalUser(ctx)`
			`ctx.request.body = {`
			`...ctx.request.body,`
			`_rev: user._rev,`
			`}`
Adding message to let user know why roles have been ignored, as well as adding test case for this. 2023-09-20 13:13:10 +02:00			`await createUpdateResponse(ctx, user)`
Adding new generation technique, converting openAPI spec to typescript definitions, which are then applied in mapping output middlewares to make sure that the structures of the response are fully respected. 2022-03-01 19:35:08 +01:00			`await next()`
Users implementation added. 2022-02-25 20:00:12 +01:00			`}`

Removing the ability to set roles, builder and admin structure through basic public API. 2023-08-04 16:43:02 +02:00			`export async function destroy(ctx: UserCtx, next: Next) {`
Users implementation added. 2022-02-25 20:00:12 +01:00			`const user = await getUser(ctx)`
Fix for #7732 - as well as some tests for it, make sure that it is working as expected. 2022-12-06 18:20:26 +01:00			`// disallow deleting yourself`
			`if (isLoggedInUser(ctx, user)) {`
			`ctx.throw(405, "Cannot delete user using its own API key.")`
			`}`
Users implementation added. 2022-02-25 20:00:12 +01:00			`await deleteGlobalUser(ctx)`
Updating summaries, adding descriptions, wrapping responses with generic wrapper 'data'. 2022-03-01 15:37:35 +01:00			`ctx.body = user`
Adding new generation technique, converting openAPI spec to typescript definitions, which are then applied in mapping output middlewares to make sure that the structures of the response are fully respected. 2022-03-01 19:35:08 +01:00			`await next()`
Users implementation added. 2022-02-25 20:00:12 +01:00			`}`
Refactoring to TS on public endpoints. 2022-02-24 16:13:14 +01:00
			`export default {`
			`create,`
			`read,`
			`update,`
			`destroy,`
			`search,`
			`}`