budibase/packages/server/src/middleware/authorized.js

const {
  getUserRoleHierarchy,
  getRequiredResourceRole,
  BUILTIN_ROLE_IDS,
} = require("@budibase/backend-core/roles")
const {
  PermissionTypes,
  doesHaveBasePermission,
} = require("@budibase/backend-core/permissions")
const builderMiddleware = require("./builder")
const { isWebhookEndpoint } = require("./utils")

function hasResource(ctx) {
  return ctx.resourceId != null
}

module.exports =
  (permType, permLevel = null) =>
  async (ctx, next) => {
    // webhooks don't need authentication, each webhook unique
    // also internal requests (between services) don't need authorized
    if (isWebhookEndpoint(ctx) || ctx.internal) {
      return next()
    }

    if (!ctx.user) {
      return ctx.throw(403, "No user info found")
    }

    // check general builder stuff, this middleware is a good way
    // to find API endpoints which are builder focused
    await builderMiddleware(ctx, permType)

    const isAuthed = ctx.isAuthenticated
    // builders for now have permission to do anything
    let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global
    const isBuilderApi = permType === PermissionTypes.BUILDER
    if (isBuilder) {
      return next()
    } else if (isBuilderApi && !isBuilder) {
      return ctx.throw(403, "Not Authorized")
    }

    // need to check this first, in-case public access, don't check authed until last
    const roleId = ctx.roleId || BUILTIN_ROLE_IDS.PUBLIC
    const hierarchy = await getUserRoleHierarchy(roleId, {
      idOnly: false,
    })
    const permError = "User does not have permission"
    let possibleRoleIds = []
    if (hasResource(ctx)) {
      possibleRoleIds = await getRequiredResourceRole(permLevel, ctx)
    }
    // check if we found a role, if not fallback to base permissions
    if (possibleRoleIds.length > 0) {
      const found = hierarchy.find(
        role => possibleRoleIds.indexOf(role._id) !== -1
      )
      return found ? next() : ctx.throw(403, permError)
    } else if (!doesHaveBasePermission(permType, permLevel, hierarchy)) {
      ctx.throw(403, permError)
    }

    // if they are not authed, then anything using the authorized middleware will fail
    if (!isAuthed) {
      ctx.throw(403, "Session not authenticated")
    }

    return next()
  }
Fixing an issue discovered in #3385 - RBAC roles worked for applying lower levels of roles, but they didn't revoke access correctly, it would always fallback to the base permissions if higher permissions were set. 2021-11-15 14:48:26 +01:00			`const {`
			`getUserRoleHierarchy,`
			`getRequiredResourceRole,`
			`BUILTIN_ROLE_IDS,`
Switching out @budibase/auth to @budibase/backend-core. 2022-01-10 20:33:00 +01:00			`} = require("@budibase/backend-core/roles")`
Tests failing but starting to progress. 2020-11-12 18:06:55 +01:00			`const {`
			`PermissionTypes,`
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`doesHaveBasePermission,`
Switching out @budibase/auth to @budibase/backend-core. 2022-01-10 20:33:00 +01:00			`} = require("@budibase/backend-core/permissions")`
Adding a debounced updated at timestamp to applications. 2021-05-21 14:07:10 +02:00			`const builderMiddleware = require("./builder")`
Fixing an issue with webhooks, couldn't use them in development (like getting schema) and making sure trigger will always use production app #3143. 2021-11-03 15:08:47 +01:00			`const { isWebhookEndpoint } = require("./utils")`
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00
Making use of the resourceId in the middleware package. 2021-02-08 18:52:22 +01:00			`function hasResource(ctx) {`
			`return ctx.resourceId != null`
			`}`

Lint with prettier 2021-06-15 20:39:40 +02:00			`module.exports =`
			`(permType, permLevel = null) =>`
			`async (ctx, next) => {`
			`// webhooks don't need authentication, each webhook unique`
Adding the sync call from the worker for creation, updating and deletion of users. Making sure that production and development apps are always up to date with user metadata. 2021-11-04 15:53:03 +01:00			`// also internal requests (between services) don't need authorized`
Merge branch 'develop' of github.com:Budibase/budibase into fix/user-metadata 2021-11-08 18:28:32 +01:00			`if (isWebhookEndpoint(ctx) \|\| ctx.internal) {`
Lint with prettier 2021-06-15 20:39:40 +02:00			`return next()`
			`}`
support for external webhooks 2020-10-12 12:57:37 +02:00
Lint with prettier 2021-06-15 20:39:40 +02:00			`if (!ctx.user) {`
			`return ctx.throw(403, "No user info found")`
			`}`
instanceid removal 2020-06-18 17:59:31 +02:00
Lint with prettier 2021-06-15 20:39:40 +02:00			`// check general builder stuff, this middleware is a good way`
			`// to find API endpoints which are builder focused`
			`await builderMiddleware(ctx, permType)`
access levels 2020-05-27 18:23:01 +02:00
Lint with prettier 2021-06-15 20:39:40 +02:00			`const isAuthed = ctx.isAuthenticated`
			`// builders for now have permission to do anything`
			`let isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global`
			`const isBuilderApi = permType === PermissionTypes.BUILDER`
			`if (isBuilder) {`
			`return next()`
			`} else if (isBuilderApi && !isBuilder) {`
			`return ctx.throw(403, "Not Authorized")`
			`}`
Adding basic permissions test which proves a public user can read from a table, but cannot write. 2021-02-09 18:24:36 +01:00
Fixing an issue discovered in #3385 - RBAC roles worked for applying lower levels of roles, but they didn't revoke access correctly, it would always fallback to the base permissions if higher permissions were set. 2021-11-15 14:48:26 +01:00			`// need to check this first, in-case public access, don't check authed until last`
			`const roleId = ctx.roleId \|\| BUILTIN_ROLE_IDS.PUBLIC`
Main body of work, refactoring most usages. 2022-01-27 19:18:31 +01:00			`const hierarchy = await getUserRoleHierarchy(roleId, {`
Fixing an issue discovered in #3385 - RBAC roles worked for applying lower levels of roles, but they didn't revoke access correctly, it would always fallback to the base permissions if higher permissions were set. 2021-11-15 14:48:26 +01:00			`idOnly: false,`
			`})`
			`const permError = "User does not have permission"`
Updating to allow a list of roles to be retrieved, allowing resources to have multiple levels of role that they can be accessed via. 2021-11-15 16:26:09 +01:00			`let possibleRoleIds = []`
Fixing an issue discovered in #3385 - RBAC roles worked for applying lower levels of roles, but they didn't revoke access correctly, it would always fallback to the base permissions if higher permissions were set. 2021-11-15 14:48:26 +01:00			`if (hasResource(ctx)) {`
Main body of work, refactoring most usages. 2022-01-27 19:18:31 +01:00			`possibleRoleIds = await getRequiredResourceRole(permLevel, ctx)`
Fixing an issue discovered in #3385 - RBAC roles worked for applying lower levels of roles, but they didn't revoke access correctly, it would always fallback to the base permissions if higher permissions were set. 2021-11-15 14:48:26 +01:00			`}`
			`// check if we found a role, if not fallback to base permissions`
Updating to allow a list of roles to be retrieved, allowing resources to have multiple levels of role that they can be accessed via. 2021-11-15 16:26:09 +01:00			`if (possibleRoleIds.length > 0) {`
			`const found = hierarchy.find(`
			`role => possibleRoleIds.indexOf(role._id) !== -1`
			`)`
Fixing an issue discovered in #3385 - RBAC roles worked for applying lower levels of roles, but they didn't revoke access correctly, it would always fallback to the base permissions if higher permissions were set. 2021-11-15 14:48:26 +01:00			`return found ? next() : ctx.throw(403, permError)`
			`} else if (!doesHaveBasePermission(permType, permLevel, hierarchy)) {`
			`ctx.throw(403, permError)`
Lint with prettier 2021-06-15 20:39:40 +02:00			`}`
access levels 2020-05-27 18:23:01 +02:00
Fixing an issue discovered in #3385 - RBAC roles worked for applying lower levels of roles, but they didn't revoke access correctly, it would always fallback to the base permissions if higher permissions were set. 2021-11-15 14:48:26 +01:00			`// if they are not authed, then anything using the authorized middleware will fail`
Lint with prettier 2021-06-15 20:39:40 +02:00			`if (!isAuthed) {`
			`ctx.throw(403, "Session not authenticated")`
			`}`

			`return next()`
			`}`