budibase/packages/server/src/middleware/triggerRowActionAuthorised.ts

import { Next } from "koa"
import { PermissionLevel, PermissionType, UserCtx } from "@budibase/types"
import { docIds } from "@budibase/backend-core"
import * as utils from "../db/utils"
import sdk from "../sdk"
import { authorizedResource } from "./authorized"

export function triggerRowActionAuthorised(
  sourcePath: string,
  actionPath: string
) {
  return async (ctx: UserCtx, next: Next) => {
    async function getResourceIds() {
      const sourceId: string = ctx.params[sourcePath]
      const rowActionId: string = ctx.params[actionPath]

      const isTableId = docIds.isTableId(sourceId)
      const isViewId = docIds.isViewId(sourceId)
      if (!isTableId && !isViewId) {
        ctx.throw(400, `'${sourceId}' is not a valid source id`)
      }

      const tableId = isTableId
        ? sourceId
        : utils.extractViewInfoFromID(sourceId).tableId
      const viewId = isTableId ? undefined : sourceId
      return { tableId, viewId, rowActionId }
    }

    const { tableId, viewId, rowActionId } = await getResourceIds()

    // Check if the user has permissions to the table/view
    await authorizedResource(
      !viewId ? PermissionType.TABLE : PermissionType.VIEW,
      PermissionLevel.READ,
      sourcePath
    )(ctx, () => {})

    // Check is the row action can run for the given view/table
    const rowAction = await sdk.rowActions.get(tableId, rowActionId)
    if (!viewId && !rowAction.permissions.table.runAllowed) {
      ctx.throw(
        403,
        `Row action '${rowActionId}' is not enabled for table '${tableId}'`
      )
    } else if (viewId && !rowAction.permissions.views[viewId]?.runAllowed) {
      ctx.throw(
        403,
        `Row action '${rowActionId}' is not enabled for view '${viewId}'`
      )
    }

    // Enrich tableId
    ctx.params.tableId = tableId
    return next()
  }
}
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`import { Next } from "koa"`
Guard permission 2024-09-04 10:16:59 +02:00			`import { PermissionLevel, PermissionType, UserCtx } from "@budibase/types"`
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`import { docIds } from "@budibase/backend-core"`
			`import * as utils from "../db/utils"`
			`import sdk from "../sdk"`
Guard permission 2024-09-04 10:16:59 +02:00			`import { authorizedResource } from "./authorized"`
Promisify middleware 2024-09-03 17:53:25 +02:00
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`export function triggerRowActionAuthorised(`
			`sourcePath: string,`
			`actionPath: string`
			`) {`
Guard permission 2024-09-04 10:16:59 +02:00			`return async (ctx: UserCtx, next: Next) => {`
			`async function getResourceIds() {`
Proper guarding 2024-09-04 11:10:56 +02:00			`const sourceId: string = ctx.params[sourcePath]`
			`const rowActionId: string = ctx.params[actionPath]`
Guard permission 2024-09-04 10:16:59 +02:00
			`const isTableId = docIds.isTableId(sourceId)`
Working on plumbing 'source' all the way through our code. 2024-09-24 13:30:45 +02:00			`const isViewId = docIds.isViewId(sourceId)`
Guard permission 2024-09-04 10:16:59 +02:00			`if (!isTableId && !isViewId) {`
			ctx.throw(400, `'${sourceId}' is not a valid source id`)
			`}`

			`const tableId = isTableId`
			`? sourceId`
			`: utils.extractViewInfoFromID(sourceId).tableId`
			`const viewId = isTableId ? undefined : sourceId`
			`return { tableId, viewId, rowActionId }`
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`}`

Guard permission 2024-09-04 10:16:59 +02:00			`const { tableId, viewId, rowActionId } = await getResourceIds()`
Add tests 2024-08-26 18:00:14 +02:00
Proper guarding 2024-09-04 11:10:56 +02:00			`// Check if the user has permissions to the table/view`
			`await authorizedResource(`
			`!viewId ? PermissionType.TABLE : PermissionType.VIEW,`
			`PermissionLevel.READ,`
			`sourcePath`
			`)(ctx, () => {})`
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00
Proper guarding 2024-09-04 11:10:56 +02:00			`// Check is the row action can run for the given view/table`
			`const rowAction = await sdk.rowActions.get(tableId, rowActionId)`
Tidy code 2024-09-03 17:21:13 +02:00			`if (!viewId && !rowAction.permissions.table.runAllowed) {`
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`ctx.throw(`
			`403,`
Tidy code 2024-09-03 17:21:13 +02:00			`Row action '${rowActionId}' is not enabled for table '${tableId}'`
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`)`
Tidy code 2024-09-03 17:21:13 +02:00			`} else if (viewId && !rowAction.permissions.views[viewId]?.runAllowed) {`
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`ctx.throw(`
			`403,`
Tidy code 2024-09-03 17:21:13 +02:00			`Row action '${rowActionId}' is not enabled for view '${viewId}'`
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`)`
			`}`

Add tests 2024-08-26 18:00:14 +02:00			`// Enrich tableId`
			`ctx.params.tableId = tableId`
Add triggerRowActionAuthorised 2024-08-26 17:13:52 +02:00			`return next()`
			`}`
			`}`