Updating some route middleware security.

This commit is contained in:
mike12345567 2021-04-01 14:38:31 +01:00
parent 14d7ac5238
commit 0b7502ba7e
5 changed files with 31 additions and 9 deletions

View File

@ -3,14 +3,15 @@ const { QueryBuilder, buildSearchUrl, search } = require("./utils")
exports.rowSearch = async ctx => { exports.rowSearch = async ctx => {
// this can't be done through pouch, have to reach for trusty node-fetch // this can't be done through pouch, have to reach for trusty node-fetch
const appId = ctx.user.appId const appId = ctx.user.appId
const bookmark = ctx.params.bookmark const { tableId } = ctx.params
const { bookmark, query, raw } = ctx.request.body
let url let url
if (ctx.params.query) { if (query) {
url = new QueryBuilder(appId, ctx.params.query, bookmark).complete() url = new QueryBuilder(appId, query, bookmark).addTable(tableId).complete()
} else if (ctx.params.raw) { } else if (raw) {
url = buildSearchUrl({ url = buildSearchUrl({
appId, appId,
query: ctx.params.raw, query: raw,
bookmark, bookmark,
}) })
} }

View File

@ -4,6 +4,7 @@ const controller = require("../controllers/auth")
const router = Router() const router = Router()
router.post("/api/authenticate", controller.authenticate) router.post("/api/authenticate", controller.authenticate)
// doesn't need authorization as can only fetch info about self
router.get("/api/self", controller.fetchSelf) router.get("/api/self", controller.fetchSelf)
module.exports = router module.exports = router

View File

@ -1,8 +1,19 @@
const Router = require("@koa/router") const Router = require("@koa/router")
const controller = require("../controllers/search") const controller = require("../controllers/search")
const {
PermissionTypes,
PermissionLevels,
} = require("../../utilities/security/permissions")
const authorized = require("../../middleware/authorized")
const { paramResource } = require("../../middleware/resourceId")
const router = Router() const router = Router()
router.get("/api/search/rows", controller.rowSearch) router.post(
"/api/search/:tableId/rows",
paramResource("tableId"),
authorized(PermissionTypes.TABLE, PermissionLevels.READ),
controller.rowSearch
)
module.exports = router module.exports = router

View File

@ -2,7 +2,11 @@ const Router = require("@koa/router")
const controller = require("../controllers/static") const controller = require("../controllers/static")
const { budibaseTempDir } = require("../../utilities/budibaseDir") const { budibaseTempDir } = require("../../utilities/budibaseDir")
const authorized = require("../../middleware/authorized") const authorized = require("../../middleware/authorized")
const { BUILDER } = require("../../utilities/security/permissions") const {
BUILDER,
PermissionTypes,
PermissionLevels,
} = require("../../utilities/security/permissions")
const usage = require("../../middleware/usageQuota") const usage = require("../../middleware/usageQuota")
const env = require("../../environment") const env = require("../../environment")
@ -34,8 +38,14 @@ router
// TODO: for now this builder endpoint is not authorized/secured, will need to be // TODO: for now this builder endpoint is not authorized/secured, will need to be
.get("/builder/:file*", controller.serveBuilder) .get("/builder/:file*", controller.serveBuilder)
.post("/api/attachments/process", authorized(BUILDER), controller.uploadFile) .post("/api/attachments/process", authorized(BUILDER), controller.uploadFile)
.post("/api/attachments/upload", usage, controller.uploadFile) .post(
"/api/attachments/upload",
authorized(PermissionTypes.TABLE, PermissionLevels.WRITE),
usage,
controller.uploadFile
)
.get("/componentlibrary", controller.serveComponentLibrary) .get("/componentlibrary", controller.serveComponentLibrary)
// TODO: this likely needs to be secured in some way
.get("/:appId/:path*", controller.serveApp) .get("/:appId/:path*", controller.serveApp)
module.exports = router module.exports = router

View File

@ -39,7 +39,6 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
} }
const role = ctx.user.role const role = ctx.user.role
const isBuilder = role._id === BUILTIN_ROLE_IDS.BUILDER
const isAdmin = ADMIN_ROLES.includes(role._id) const isAdmin = ADMIN_ROLES.includes(role._id)
const isAuthed = ctx.auth.authenticated const isAuthed = ctx.auth.authenticated