budibase/packages/server/src/middleware/triggerRowActionAuthorised.ts

import { Next } from "koa"
import { Ctx } from "@budibase/types"
import { paramSubResource } from "./resourceId"
import { docIds } from "@budibase/backend-core"
import * as utils from "../db/utils"
import sdk from "../sdk"

export function triggerRowActionAuthorised(
  sourcePath: string,
  actionPath: string
) {
  return async (ctx: Ctx, next: Next) => {
    // Reusing the existing middleware to extract the value
    paramSubResource(sourcePath, actionPath)(ctx, () => {})
    const { resourceId: sourceId, subResourceId: rowActionId } = ctx

    const isTableId = docIds.isTableId(sourceId)
    const isViewId = utils.isViewID(sourceId)
    if (!isTableId && !isViewId) {
      ctx.throw(400, `'${sourceId}' is not a valid source id`)
    }

    const tableId = isTableId
      ? sourceId
      : utils.extractViewInfoFromID(sourceId).tableId

    const rowAction = await sdk.rowActions.get(tableId, rowActionId)

    if (isTableId && !rowAction.permissions.table.runAllowed) {
      ctx.throw(
        403,
        `Row action '${rowActionId}' is not enabled for table '${sourceId}'`
      )
    } else if (isViewId && !rowAction.permissions.views[sourceId]?.runAllowed) {
      ctx.throw(
        403,
        `Row action '${rowActionId}' is not enabled for view '${sourceId}'`
      )
    }

    // Enrich tableId
    ctx.params.tableId = tableId
    return next()
  }
}
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`import { Next } from "koa"`
			`import { Ctx } from "@budibase/types"`
			`import { paramSubResource } from "./resourceId"`
			`import { docIds } from "@budibase/backend-core"`
			`import * as utils from "../db/utils"`
			`import sdk from "../sdk"`

			`export function triggerRowActionAuthorised(`
			`sourcePath: string,`
			`actionPath: string`
			`) {`
			`return async (ctx: Ctx, next: Next) => {`
			`// Reusing the existing middleware to extract the value`
			`paramSubResource(sourcePath, actionPath)(ctx, () => {})`
			`const { resourceId: sourceId, subResourceId: rowActionId } = ctx`

			`const isTableId = docIds.isTableId(sourceId)`
			`const isViewId = utils.isViewID(sourceId)`
			`if (!isTableId && !isViewId) {`
			ctx.throw(400, `'${sourceId}' is not a valid source id`)
			`}`

			`const tableId = isTableId`
			`? sourceId`
			`: utils.extractViewInfoFromID(sourceId).tableId`
Add tests 2024-08-26 18:00:14 +02:00
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`const rowAction = await sdk.rowActions.get(tableId, rowActionId)`

			`if (isTableId && !rowAction.permissions.table.runAllowed) {`
			`ctx.throw(`
			`403,`
			`Row action '${rowActionId}' is not enabled for table '${sourceId}'`
			`)`
			`} else if (isViewId && !rowAction.permissions.views[sourceId]?.runAllowed) {`
			`ctx.throw(`
			`403,`
			`Row action '${rowActionId}' is not enabled for view '${sourceId}'`
			`)`
			`}`

Add tests 2024-08-26 18:00:14 +02:00			`// Enrich tableId`
			`ctx.params.tableId = tableId`
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`return next()`
			`}`
			`}`