budibase/packages/server/src/utilities/security/permissions.js

const { flatten } = require("lodash")

exports.READ_TABLE = "read-table"
exports.WRITE_TABLE = "write-table"
exports.READ_VIEW = "read-view"
exports.EXECUTE_AUTOMATION = "execute-automation"
exports.EXECUTE_WEBHOOK = "execute-webhook"
exports.USER_MANAGEMENT = "user-management"
exports.BUILDER = "builder"
exports.LIST_USERS = "list-users"

const PermissionLevels = {
  READ: "read",
  WRITE: "write",
  EXECUTE: "execute",
  ADMIN: "admin",
}

const PermissionTypes = {
  TABLE: "table",
  USER: "user",
  AUTOMATION: "automation",
  WEBHOOK: "webhook",
  BUILDER: "builder",
  VIEW: "view",
}

function Permission(type, level) {
  this.level = level
  this.type = type
}

/**
 * Given the specified permission level for the user return the levels they are allowed to carry out.
 * @param {string} userPermLevel The permission level of the user.
 * @return {string[]} All the permission levels this user is allowed to carry out.
 */
function getAllowedLevels(userPermLevel) {
  switch (userPermLevel) {
    case PermissionLevels.READ:
      return [PermissionLevels.READ]
    case PermissionLevels.WRITE:
      return [PermissionLevels.READ, PermissionLevels.WRITE]
    case PermissionLevels.EXECUTE:
      return [PermissionLevels.EXECUTE]
    case PermissionLevels.ADMIN:
      return [
        PermissionLevels.READ,
        PermissionLevels.WRITE,
        PermissionLevels.EXECUTE,
      ]
    default:
      return []
  }
}

// TODO: need to expand on this
exports.BUILTIN_PERMISSION_NAMES = {
  READ_ONLY: "read_only",
  WRITE: "write",
}

exports.BUILTIN_PERMISSIONS = {
  READ_ONLY: {
    name: exports.BUILTIN_PERMISSION_NAMES.READ_ONLY,
    permissions: [
      new Permission(PermissionTypes.TABLE, PermissionLevels.READ),
      new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
    ],
  },
  WRITE: {
    name: exports.BUILTIN_PERMISSION_NAMES.WRITE,
    permissions: [
      new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE),
      new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
    ],
  },
}

exports.doesHavePermission = (permType, permLevel, userPermissionNames) => {
  const builtins = Object.values(exports.BUILTIN_PERMISSIONS)
  let permissions = flatten(
    builtins
      .filter(builtin => userPermissionNames.indexOf(builtin.name) !== -1)
      .map(builtin => builtin.permissions)
  )
  for (let permission of permissions) {
    if (
      permission.type === permType &&
      getAllowedLevels(permission.level).indexOf(permLevel) !== -1
    ) {
      return true
    }
  }
  return false
}

// utility as a lot of things need simply the builder permission
exports.BUILDER = PermissionTypes.BUILDER
exports.PermissionTypes = PermissionTypes
exports.PermissionLevels = PermissionLevels
WIP - this is working towards the permissions system but stopping here for the night, this is currently not functional. 2020-11-11 18:34:15 +01:00			`const { flatten } = require("lodash")`

			`exports.READ_TABLE = "read-table"`
			`exports.WRITE_TABLE = "write-table"`
			`exports.READ_VIEW = "read-view"`
			`exports.EXECUTE_AUTOMATION = "execute-automation"`
			`exports.EXECUTE_WEBHOOK = "execute-webhook"`
			`exports.USER_MANAGEMENT = "user-management"`
			`exports.BUILDER = "builder"`
			`exports.LIST_USERS = "list-users"`

			`const PermissionLevels = {`
			`READ: "read",`
			`WRITE: "write",`
			`EXECUTE: "execute",`
			`ADMIN: "admin",`
			`}`

			`const PermissionTypes = {`
			`TABLE: "table",`
			`USER: "user",`
			`AUTOMATION: "automation",`
			`WEBHOOK: "webhook",`
			`BUILDER: "builder",`
			`VIEW: "view",`
			`}`

			`function Permission(type, level) {`
			`this.level = level`
			`this.type = type`
			`}`

			`/**`
			`* Given the specified permission level for the user return the levels they are allowed to carry out.`
			`* @param {string} userPermLevel The permission level of the user.`
			`* @return {string[]} All the permission levels this user is allowed to carry out.`
			`*/`
			`function getAllowedLevels(userPermLevel) {`
			`switch (userPermLevel) {`
			`case PermissionLevels.READ:`
			`return [PermissionLevels.READ]`
			`case PermissionLevels.WRITE:`
			`return [PermissionLevels.READ, PermissionLevels.WRITE]`
			`case PermissionLevels.EXECUTE:`
			`return [PermissionLevels.EXECUTE]`
			`case PermissionLevels.ADMIN:`
			`return [`
			`PermissionLevels.READ,`
			`PermissionLevels.WRITE,`
			`PermissionLevels.EXECUTE,`
			`]`
			`default:`
			`return []`
			`}`
			`}`

			`// TODO: need to expand on this`
			`exports.BUILTIN_PERMISSION_NAMES = {`
			`READ_ONLY: "read_only",`
			`WRITE: "write",`
			`}`

			`exports.BUILTIN_PERMISSIONS = {`
			`READ_ONLY: {`
			`name: exports.BUILTIN_PERMISSION_NAMES.READ_ONLY,`
			`permissions: [`
			`new Permission(PermissionTypes.TABLE, PermissionLevels.READ),`
			`new Permission(PermissionTypes.VIEW, PermissionLevels.READ),`
			`],`
			`},`
			`WRITE: {`
			`name: exports.BUILTIN_PERMISSION_NAMES.WRITE,`
			`permissions: [`
			`new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE),`
			`new Permission(PermissionTypes.VIEW, PermissionLevels.READ),`
			`],`
			`},`
			`}`

			`exports.doesHavePermission = (permType, permLevel, userPermissionNames) => {`
			`const builtins = Object.values(exports.BUILTIN_PERMISSIONS)`
			`let permissions = flatten(`
			`builtins`
			`.filter(builtin => userPermissionNames.indexOf(builtin.name) !== -1)`
			`.map(builtin => builtin.permissions)`
			`)`
			`for (let permission of permissions) {`
			`if (`
			`permission.type === permType &&`
			`getAllowedLevels(permission.level).indexOf(permLevel) !== -1`
			`) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`// utility as a lot of things need simply the builder permission`
			`exports.BUILDER = PermissionTypes.BUILDER`
			`exports.PermissionTypes = PermissionTypes`
			`exports.PermissionLevels = PermissionLevels`