budibase/packages/server/src/sdk/app/permissions/index.ts

import { context, db, env, roles } from "@budibase/backend-core"
import { features } from "@budibase/pro"
import {
  DocumentType,
  PermissionLevel,
  PlanType,
  Role,
  VirtualDocumentType,
} from "@budibase/types"
import {
  extractViewInfoFromID,
  getRoleParams,
  isViewID,
} from "../../../db/utils"
import {
  CURRENTLY_SUPPORTED_LEVELS,
  getBasePermissions,
} from "../../../utilities/security"
import sdk from "../../../sdk"
import { isV2 } from "../views"

type ResourceActionAllowedResult =
  | { allowed: true }
  | {
      allowed: false
      level: PermissionLevel
      resourceType: DocumentType | VirtualDocumentType
    }

export async function resourceActionAllowed({
  resourceId,
  level,
}: {
  resourceId: string
  level: PermissionLevel
}): Promise<ResourceActionAllowedResult> {
  if (!isViewID(resourceId)) {
    return { allowed: true }
  }

  if (await features.isViewPermissionEnabled()) {
    return { allowed: true }
  }

  return {
    allowed: false,
    level,
    resourceType: VirtualDocumentType.VIEW,
  }
}

enum PermissionSource {
  EXPLICIT = "EXPLICIT",
  INHERITED = "INHERITED",
  BASE = "BASE",
}

type ResourcePermissions = Record<
  string,
  { role: string; type: PermissionSource }
>

export async function getInheritablePermissions(
  resourceId: string
): Promise<ResourcePermissions | undefined> {
  if (isViewID(resourceId)) {
    return await getResourcePerms(extractViewInfoFromID(resourceId).tableId)
  }
}

export async function allowsExplicitPermissions(resourceId: string) {
  if (isViewID(resourceId)) {
    const allowed = await features.isViewPermissionEnabled()
    const minPlan = !allowed
      ? env.SELF_HOSTED
        ? PlanType.BUSINESS
        : PlanType.PREMIUM
      : undefined

    return {
      allowed,
      minPlan,
    }
  }

  return { allowed: true }
}

export async function getResourcePerms(
  resourceId: string
): Promise<ResourcePermissions> {
  const db = context.getAppDB()
  const body = await db.allDocs(
    getRoleParams(null, {
      include_docs: true,
    })
  )
  const rolesList = body.rows.map<Role>(row => row.doc)
  let permissions: ResourcePermissions = {}

  const permsToInherit = await getInheritablePermissions(resourceId)

  const allowsExplicitPerm = (await allowsExplicitPermissions(resourceId))
    .allowed

  for (let level of CURRENTLY_SUPPORTED_LEVELS) {
    // update the various roleIds in the resource permissions
    for (let role of rolesList) {
      const rolePerms = allowsExplicitPerm
        ? roles.checkForRoleResourceArray(role.permissions, resourceId)
        : {}
      if (rolePerms[resourceId]?.indexOf(level) > -1) {
        permissions[level] = {
          role: roles.getExternalRoleID(role._id!, role.version),
          type: PermissionSource.EXPLICIT,
        }
      } else if (
        !permissions[level] &&
        permsToInherit &&
        permsToInherit[level]
      ) {
        permissions[level] = {
          role: permsToInherit[level].role,
          type: PermissionSource.INHERITED,
        }
      }
    }
  }

  const basePermissions = Object.entries(
    getBasePermissions(resourceId)
  ).reduce<ResourcePermissions>((p, [level, role]) => {
    p[level] = { role, type: PermissionSource.BASE }
    return p
  }, {})
  const result = Object.assign(basePermissions, permissions)
  return result
}

export async function getDependantResources(
  resourceId: string
): Promise<Record<string, number> | undefined> {
  if (db.isTableId(resourceId)) {
    const dependants: Record<string, Set<string>> = {}

    const table = await sdk.tables.getTable(resourceId)
    const views = Object.values(table.views || {})

    for (const view of views) {
      if (!isV2(view)) {
        continue
      }

      const permissions = await getResourcePerms(view.id)
      for (const [level, roleInfo] of Object.entries(permissions)) {
        if (roleInfo.type === PermissionSource.INHERITED) {
          dependants[VirtualDocumentType.VIEW] ??= new Set()
          dependants[VirtualDocumentType.VIEW].add(view.id)
        }
      }
    }

    return Object.entries(dependants).reduce((p, [type, resources]) => {
      p[type] = resources.size
      return p
    }, {} as Record<string, number>)
  }

  return
}
Display dependant info 2023-09-01 17:03:33 +02:00			`import { context, db, env, roles } from "@budibase/backend-core"`
Move permissions code to sdk 2023-08-31 10:36:17 +02:00			`import { features } from "@budibase/pro"`
Add basic sdk checks 2023-08-21 16:56:40 +02:00			`import {`
			`DocumentType,`
			`PermissionLevel,`
Change api interfaces 2023-09-01 11:33:59 +02:00			`PlanType,`
Change shape 2023-08-31 13:01:17 +02:00			`Role,`
Add basic sdk checks 2023-08-21 16:56:40 +02:00			`VirtualDocumentType,`
			`} from "@budibase/types"`
Change shape 2023-08-31 13:01:17 +02:00			`import {`
			`extractViewInfoFromID,`
			`getRoleParams,`
			`isViewID,`
			`} from "../../../db/utils"`
Move permissions code to sdk 2023-08-31 10:36:17 +02:00			`import {`
			`CURRENTLY_SUPPORTED_LEVELS,`
			`getBasePermissions,`
			`} from "../../../utilities/security"`
Display dependant info 2023-09-01 17:03:33 +02:00			`import sdk from "../../../sdk"`
			`import { isV2 } from "../views"`
Add basic sdk checks 2023-08-21 16:56:40 +02:00
			`type ResourceActionAllowedResult =`
			`\| { allowed: true }`
			`\| {`
			`allowed: false`
			`level: PermissionLevel`
			`resourceType: DocumentType \| VirtualDocumentType`
			`}`

			`export async function resourceActionAllowed({`
			`resourceId,`
			`level,`
			`}: {`
			`resourceId: string`
			`level: PermissionLevel`
			`}): Promise<ResourceActionAllowedResult> {`
			`if (!isViewID(resourceId)) {`
			`return { allowed: true }`
			`}`

Implemment checks 2023-08-22 10:27:06 +02:00			`if (await features.isViewPermissionEnabled()) {`
			`return { allowed: true }`
			`}`

Add basic sdk checks 2023-08-21 16:56:40 +02:00			`return {`
			`allowed: false,`
			`level,`
			`resourceType: VirtualDocumentType.VIEW,`
			`}`
			`}`
Move permissions code to sdk 2023-08-31 10:36:17 +02:00
Rename 2023-09-01 09:50:55 +02:00			`enum PermissionSource {`
			`EXPLICIT = "EXPLICIT",`
			`INHERITED = "INHERITED",`
			`BASE = "BASE",`
Return role origin 2023-09-01 09:40:29 +02:00			`}`

Change shape 2023-08-31 13:01:17 +02:00			`type ResourcePermissions = Record<`
			`string,`
Rename 2023-09-01 09:50:55 +02:00			`{ role: string; type: PermissionSource }`
Change shape 2023-08-31 13:01:17 +02:00			`>`

Rename 2023-09-01 09:50:55 +02:00			`export async function getInheritablePermissions(`
			`resourceId: string`
			`): Promise<ResourcePermissions \| undefined> {`
Change api interfaces 2023-09-01 11:33:59 +02:00			`if (isViewID(resourceId)) {`
Rename 2023-09-01 09:50:55 +02:00			`return await getResourcePerms(extractViewInfoFromID(resourceId).tableId)`
			`}`
			`}`

Change api interfaces 2023-09-01 11:33:59 +02:00			`export async function allowsExplicitPermissions(resourceId: string) {`
			`if (isViewID(resourceId)) {`
			`const allowed = await features.isViewPermissionEnabled()`
			`const minPlan = !allowed`
			`? env.SELF_HOSTED`
			`? PlanType.BUSINESS`
			`: PlanType.PREMIUM`
			`: undefined`

			`return {`
			`allowed,`
			`minPlan,`
			`}`
			`}`

			`return { allowed: true }`
			`}`

Change shape 2023-08-31 13:01:17 +02:00			`export async function getResourcePerms(`
			`resourceId: string`
			`): Promise<ResourcePermissions> {`
Move permissions code to sdk 2023-08-31 10:36:17 +02:00			`const db = context.getAppDB()`
			`const body = await db.allDocs(`
			`getRoleParams(null, {`
			`include_docs: true,`
			`})`
			`)`
Change shape 2023-08-31 13:01:17 +02:00			`const rolesList = body.rows.map<Role>(row => row.doc)`
Return role origin 2023-09-01 09:40:29 +02:00			`let permissions: ResourcePermissions = {}`
Change shape 2023-08-31 13:01:17 +02:00
Rename 2023-09-01 09:50:55 +02:00			`const permsToInherit = await getInheritablePermissions(resourceId)`
Change shape 2023-08-31 13:01:17 +02:00
Change api interfaces 2023-09-01 11:33:59 +02:00			`const allowsExplicitPerm = (await allowsExplicitPermissions(resourceId))`
			`.allowed`

Move permissions code to sdk 2023-08-31 10:36:17 +02:00			`for (let level of CURRENTLY_SUPPORTED_LEVELS) {`
			`// update the various roleIds in the resource permissions`
			`for (let role of rolesList) {`
Change api interfaces 2023-09-01 11:33:59 +02:00			`const rolePerms = allowsExplicitPerm`
			`? roles.checkForRoleResourceArray(role.permissions, resourceId)`
			`: {}`
Change shape 2023-08-31 13:01:17 +02:00			`if (rolePerms[resourceId]?.indexOf(level) > -1) {`
			`permissions[level] = {`
			`role: roles.getExternalRoleID(role._id!, role.version),`
Rename 2023-09-01 09:50:55 +02:00			`type: PermissionSource.EXPLICIT,`
Change shape 2023-08-31 13:01:17 +02:00			`}`
Display inherit option 2023-09-01 10:52:06 +02:00			`} else if (`
			`!permissions[level] &&`
			`permsToInherit &&`
			`permsToInherit[level]`
			`) {`
Change shape 2023-08-31 13:01:17 +02:00			`permissions[level] = {`
Return role origin 2023-09-01 09:40:29 +02:00			`role: permsToInherit[level].role,`
Rename 2023-09-01 09:50:55 +02:00			`type: PermissionSource.INHERITED,`
Change shape 2023-08-31 13:01:17 +02:00			`}`
Move permissions code to sdk 2023-08-31 10:36:17 +02:00			`}`
			`}`
			`}`

Change shape 2023-08-31 13:01:17 +02:00			`const basePermissions = Object.entries(`
			`getBasePermissions(resourceId)`
			`).reduce<ResourcePermissions>((p, [level, role]) => {`
Rename 2023-09-01 09:50:55 +02:00			`p[level] = { role, type: PermissionSource.BASE }`
Change shape 2023-08-31 13:01:17 +02:00			`return p`
			`}, {})`
			`const result = Object.assign(basePermissions, permissions)`
			`return result`
Move permissions code to sdk 2023-08-31 10:36:17 +02:00			`}`
Display dependant info 2023-09-01 17:03:33 +02:00
Improve messaging 2023-09-01 17:23:47 +02:00			`export async function getDependantResources(`
			`resourceId: string`
			`): Promise<Record<string, number> \| undefined> {`
Display dependant info 2023-09-01 17:03:33 +02:00			`if (db.isTableId(resourceId)) {`
Improve messaging 2023-09-01 17:23:47 +02:00			`const dependants: Record<string, Set<string>> = {}`
Display dependant info 2023-09-01 17:03:33 +02:00
			`const table = await sdk.tables.getTable(resourceId)`
			`const views = Object.values(table.views \|\| {})`

			`for (const view of views) {`
			`if (!isV2(view)) {`
			`continue`
			`}`

			`const permissions = await getResourcePerms(view.id)`
			`for (const [level, roleInfo] of Object.entries(permissions)) {`
			`if (roleInfo.type === PermissionSource.INHERITED) {`
Improve messaging 2023-09-01 17:23:47 +02:00			`dependants[VirtualDocumentType.VIEW] ??= new Set()`
			`dependants[VirtualDocumentType.VIEW].add(view.id)`
Display dependant info 2023-09-01 17:03:33 +02:00			`}`
			`}`
			`}`

Improve messaging 2023-09-01 17:23:47 +02:00			`return Object.entries(dependants).reduce((p, [type, resources]) => {`
			`p[type] = resources.size`
			`return p`
			`}, {} as Record<string, number>)`
Display dependant info 2023-09-01 17:03:33 +02:00			`}`

Improve messaging 2023-09-01 17:23:47 +02:00			`return`
Display dependant info 2023-09-01 17:03:33 +02:00			`}`