budibase/packages/server/src/middleware/authorized.js

const { getUserPermissions } = require("@budibase/auth/roles")
const {
  PermissionTypes,
  doesHaveResourcePermission,
  doesHaveBasePermission,
} = require("@budibase/auth/permissions")
const builderMiddleware = require("./builder")
const { isWebhookEndpoint } = require("./utils")

function hasResource(ctx) {
  return ctx.resourceId != null
}

module.exports =
  (permType, permLevel = null) =>
  async (ctx, next) => {
    // webhooks don't need authentication, each webhook unique
    if (isWebhookEndpoint(ctx)) {
      return next()
    }

    if (!ctx.user) {
      return ctx.throw(403, "No user info found")
    }

    // check general builder stuff, this middleware is a good way
    // to find API endpoints which are builder focused
    await builderMiddleware(ctx, permType)

    const isAuthed = ctx.isAuthenticated
    const { basePermissions, permissions } = await getUserPermissions(
      ctx.appId,
      ctx.roleId
    )

    // builders for now have permission to do anything
    // TODO: in future should consider separating permissions with an require("@budibase/auth").isClient check
    let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global
    const isBuilderApi = permType === PermissionTypes.BUILDER
    if (isBuilder) {
      return next()
    } else if (isBuilderApi && !isBuilder) {
      return ctx.throw(403, "Not Authorized")
    }

    if (
      hasResource(ctx) &&
      doesHaveResourcePermission(permissions, permLevel, ctx)
    ) {
      return next()
    }

    if (!isAuthed) {
      ctx.throw(403, "Session not authenticated")
    }

    if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {
      ctx.throw(403, "User does not have permission")
    }

    return next()
  }
A general re-work of some parts of the auth lib, as well as moving roles/permissions around to make it possible to build an admin API which has role knowledge. 2021-05-14 16:43:41 +02:00			`const { getUserPermissions } = require("@budibase/auth/roles")`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`const {`
			`PermissionTypes,`
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`doesHaveResourcePermission,`
			`doesHaveBasePermission,`
A general re-work of some parts of the auth lib, as well as moving roles/permissions around to make it possible to build an admin API which has role knowledge. 2021-05-14 16:43:41 +02:00			`} = require("@budibase/auth/permissions")`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`const builderMiddleware = require("./builder")`
Fixing an issue with webhooks, couldn't use them in development (like getting schema) and making sure trigger will always use production app #3143. 2021-11-03 15:08:47 +01:00			`const { isWebhookEndpoint } = require("./utils")`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`function hasResource(ctx) {`
			`return ctx.resourceId != null`
			`}`

Lint with prettier 2021-06-15 20:39:40 +02:00			`module.exports =`
			`(permType, permLevel = null) =>`
			`async (ctx, next) => {`
			`// webhooks don't need authentication, each webhook unique`
Fixing an issue with webhooks, couldn't use them in development (like getting schema) and making sure trigger will always use production app #3143. 2021-11-03 15:08:47 +01:00			`if (isWebhookEndpoint(ctx)) {`
Lint with prettier 2021-06-15 20:39:40 +02:00			`return next()`
			`}`
support for external webhooks 2020-10-12 12:57:37 +02:00
Lint with prettier 2021-06-15 20:39:40 +02:00			`if (!ctx.user) {`
			`return ctx.throw(403, "No user info found")`
			`}`
instanceid removal 2020-06-18 17:59:31 +02:00
Lint with prettier 2021-06-15 20:39:40 +02:00			`// check general builder stuff, this middleware is a good way`
			`// to find API endpoints which are builder focused`
			`await builderMiddleware(ctx, permType)`
access levels 2020-05-27 18:23:01 +02:00
Lint with prettier 2021-06-15 20:39:40 +02:00			`const isAuthed = ctx.isAuthenticated`
			`const { basePermissions, permissions } = await getUserPermissions(`
			`ctx.appId,`
			`ctx.roleId`
			`)`
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00
Lint with prettier 2021-06-15 20:39:40 +02:00			`// builders for now have permission to do anything`
			`// TODO: in future should consider separating permissions with an require("@budibase/auth").isClient check`
			`let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global`
			`const isBuilderApi = permType === PermissionTypes.BUILDER`
			`if (isBuilder) {`
			`return next()`
			`} else if (isBuilderApi && !isBuilder) {`
			`return ctx.throw(403, "Not Authorized")`
			`}`
Adding basic permissions test which proves a public user can read from a table, but cannot write. 2021-02-09 18:24:36 +01:00
Lint with prettier 2021-06-15 20:39:40 +02:00			`if (`
			`hasResource(ctx) &&`
			`doesHaveResourcePermission(permissions, permLevel, ctx)`
			`) {`
			`return next()`
			`}`
access levels 2020-05-27 18:23:01 +02:00
Lint with prettier 2021-06-15 20:39:40 +02:00			`if (!isAuthed) {`
			`ctx.throw(403, "Session not authenticated")`
			`}`

			`if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {`
			`ctx.throw(403, "User does not have permission")`
			`}`

			`return next()`
			`}`