budibase/packages/server/src/middleware/authorized.js

const { getUserPermissions } = require("../utilities/security/roles")
const {
  PermissionTypes,
  doesHaveResourcePermission,
  doesHaveBasePermission,
} = require("../utilities/security/permissions")

function hasResource(ctx) {
  return ctx.resourceId != null
}

const WEBHOOK_ENDPOINTS = new RegExp(
  ["webhooks/trigger", "webhooks/schema"].join("|")
)

module.exports = (permType, permLevel = null) => async (ctx, next) => {
  // webhooks don't need authentication, each webhook unique
  if (WEBHOOK_ENDPOINTS.test(ctx.request.url)) {
    return next()
  }

  if (!ctx.user) {
    return ctx.throw(403, "No user info found")
  }

  const isAuthed = ctx.isAuthenticated

  const { basePermissions, permissions } = await getUserPermissions(
    ctx.appId,
    ctx.roleId
  )

  let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global
  if (permType === PermissionTypes.BUILDER && isBuilder) {
    return next()
  } else if (permType === PermissionTypes.BUILDER && !isBuilder) {
    return ctx.throw(403, "Not Authorized")
  }

  if (
    hasResource(ctx) &&
    doesHaveResourcePermission(permissions, permLevel, ctx)
  ) {
    return next()
  }

  if (!isAuthed) {
    ctx.throw(403, "Session not authenticated")
  }

  if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {
    ctx.throw(403, "User does not have permission")
  }

  return next()
}
Some work towards implementing the current app cookie, removing some old dead code and re-working some of the different middlewares involved. 2021-04-12 19:31:58 +02:00			`const { getUserPermissions } = require("../utilities/security/roles")`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`const {`
			`PermissionTypes,`
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`doesHaveResourcePermission,`
			`doesHaveBasePermission,`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`} = require("../utilities/security/permissions")`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`function hasResource(ctx) {`
			`return ctx.resourceId != null`
			`}`

Some work towards implementing the current app cookie, removing some old dead code and re-working some of the different middlewares involved. 2021-04-12 19:31:58 +02:00			`const WEBHOOK_ENDPOINTS = new RegExp(`
			`["webhooks/trigger", "webhooks/schema"].join("\|")`
			`)`
support for external webhooks 2020-10-12 12:57:37 +02:00
Some work towards implementing the current app cookie, removing some old dead code and re-working some of the different middlewares involved. 2021-04-12 19:31:58 +02:00			`module.exports = (permType, permLevel = null) => async (ctx, next) => {`
			`// webhooks don't need authentication, each webhook unique`
			`if (WEBHOOK_ENDPOINTS.test(ctx.request.url)) {`
			`return next()`
support for external webhooks 2020-10-12 12:57:37 +02:00			`}`

instanceid removal 2020-06-18 17:59:31 +02:00			`if (!ctx.user) {`
tests for authorized middleware 2021-03-09 12:27:12 +01:00			`return ctx.throw(403, "No user info found")`
instanceid removal 2020-06-18 17:59:31 +02:00			`}`

login page 2021-04-11 12:35:55 +02:00			`const isAuthed = ctx.isAuthenticated`
Updating API keys and changing over system to allow use of builder endpoints when running in cloud. 2021-03-22 17:39:11 +01:00
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`const { basePermissions, permissions } = await getUserPermissions(`
			`ctx.appId,`
Some work towards implementing the current app cookie, removing some old dead code and re-working some of the different middlewares involved. 2021-04-12 19:31:58 +02:00			`ctx.roleId`
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`)`
access levels 2020-05-27 18:23:01 +02:00
Getting most of the test auth working, adding in global builder configuration. 2021-04-13 19:12:35 +02:00			`let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global`
			`if (permType === PermissionTypes.BUILDER && isBuilder) {`
self endpoint, simple auth 2021-04-12 12:20:01 +02:00			`return next()`
Getting most of the test auth working, adding in global builder configuration. 2021-04-13 19:12:35 +02:00			`} else if (permType === PermissionTypes.BUILDER && !isBuilder) {`
self endpoint, simple auth 2021-04-12 12:20:01 +02:00			`return ctx.throw(403, "Not Authorized")`
			`}`
access levels 2020-05-27 18:23:01 +02:00
Some more fixes after testing permissions a bit further. 2021-02-09 17:01:02 +01:00			`if (`
			`hasResource(ctx) &&`
			`doesHaveResourcePermission(permissions, permLevel, ctx)`
			`) {`
			`return next()`
			`}`
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00
Adding basic permissions test which proves a public user can read from a table, but cannot write. 2021-02-09 18:24:36 +01:00			`if (!isAuthed) {`
			`ctx.throw(403, "Session not authenticated")`
			`}`

Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`ctx.throw(403, "User does not have permission")`
			`}`
access levels 2020-05-27 18:23:01 +02:00
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`return next()`
access levels 2020-05-27 18:23:01 +02:00			`}`