Updating some route middleware security.
This commit is contained in:
parent
14d7ac5238
commit
0b7502ba7e
|
@ -3,14 +3,15 @@ const { QueryBuilder, buildSearchUrl, search } = require("./utils")
|
||||||
exports.rowSearch = async ctx => {
|
exports.rowSearch = async ctx => {
|
||||||
// this can't be done through pouch, have to reach for trusty node-fetch
|
// this can't be done through pouch, have to reach for trusty node-fetch
|
||||||
const appId = ctx.user.appId
|
const appId = ctx.user.appId
|
||||||
const bookmark = ctx.params.bookmark
|
const { tableId } = ctx.params
|
||||||
|
const { bookmark, query, raw } = ctx.request.body
|
||||||
let url
|
let url
|
||||||
if (ctx.params.query) {
|
if (query) {
|
||||||
url = new QueryBuilder(appId, ctx.params.query, bookmark).complete()
|
url = new QueryBuilder(appId, query, bookmark).addTable(tableId).complete()
|
||||||
} else if (ctx.params.raw) {
|
} else if (raw) {
|
||||||
url = buildSearchUrl({
|
url = buildSearchUrl({
|
||||||
appId,
|
appId,
|
||||||
query: ctx.params.raw,
|
query: raw,
|
||||||
bookmark,
|
bookmark,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ const controller = require("../controllers/auth")
|
||||||
const router = Router()
|
const router = Router()
|
||||||
|
|
||||||
router.post("/api/authenticate", controller.authenticate)
|
router.post("/api/authenticate", controller.authenticate)
|
||||||
|
// doesn't need authorization as can only fetch info about self
|
||||||
router.get("/api/self", controller.fetchSelf)
|
router.get("/api/self", controller.fetchSelf)
|
||||||
|
|
||||||
module.exports = router
|
module.exports = router
|
||||||
|
|
|
@ -1,8 +1,19 @@
|
||||||
const Router = require("@koa/router")
|
const Router = require("@koa/router")
|
||||||
const controller = require("../controllers/search")
|
const controller = require("../controllers/search")
|
||||||
|
const {
|
||||||
|
PermissionTypes,
|
||||||
|
PermissionLevels,
|
||||||
|
} = require("../../utilities/security/permissions")
|
||||||
|
const authorized = require("../../middleware/authorized")
|
||||||
|
const { paramResource } = require("../../middleware/resourceId")
|
||||||
|
|
||||||
const router = Router()
|
const router = Router()
|
||||||
|
|
||||||
router.get("/api/search/rows", controller.rowSearch)
|
router.post(
|
||||||
|
"/api/search/:tableId/rows",
|
||||||
|
paramResource("tableId"),
|
||||||
|
authorized(PermissionTypes.TABLE, PermissionLevels.READ),
|
||||||
|
controller.rowSearch
|
||||||
|
)
|
||||||
|
|
||||||
module.exports = router
|
module.exports = router
|
||||||
|
|
|
@ -2,7 +2,11 @@ const Router = require("@koa/router")
|
||||||
const controller = require("../controllers/static")
|
const controller = require("../controllers/static")
|
||||||
const { budibaseTempDir } = require("../../utilities/budibaseDir")
|
const { budibaseTempDir } = require("../../utilities/budibaseDir")
|
||||||
const authorized = require("../../middleware/authorized")
|
const authorized = require("../../middleware/authorized")
|
||||||
const { BUILDER } = require("../../utilities/security/permissions")
|
const {
|
||||||
|
BUILDER,
|
||||||
|
PermissionTypes,
|
||||||
|
PermissionLevels,
|
||||||
|
} = require("../../utilities/security/permissions")
|
||||||
const usage = require("../../middleware/usageQuota")
|
const usage = require("../../middleware/usageQuota")
|
||||||
const env = require("../../environment")
|
const env = require("../../environment")
|
||||||
|
|
||||||
|
@ -34,8 +38,14 @@ router
|
||||||
// TODO: for now this builder endpoint is not authorized/secured, will need to be
|
// TODO: for now this builder endpoint is not authorized/secured, will need to be
|
||||||
.get("/builder/:file*", controller.serveBuilder)
|
.get("/builder/:file*", controller.serveBuilder)
|
||||||
.post("/api/attachments/process", authorized(BUILDER), controller.uploadFile)
|
.post("/api/attachments/process", authorized(BUILDER), controller.uploadFile)
|
||||||
.post("/api/attachments/upload", usage, controller.uploadFile)
|
.post(
|
||||||
|
"/api/attachments/upload",
|
||||||
|
authorized(PermissionTypes.TABLE, PermissionLevels.WRITE),
|
||||||
|
usage,
|
||||||
|
controller.uploadFile
|
||||||
|
)
|
||||||
.get("/componentlibrary", controller.serveComponentLibrary)
|
.get("/componentlibrary", controller.serveComponentLibrary)
|
||||||
|
// TODO: this likely needs to be secured in some way
|
||||||
.get("/:appId/:path*", controller.serveApp)
|
.get("/:appId/:path*", controller.serveApp)
|
||||||
|
|
||||||
module.exports = router
|
module.exports = router
|
||||||
|
|
|
@ -39,7 +39,6 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
|
||||||
}
|
}
|
||||||
|
|
||||||
const role = ctx.user.role
|
const role = ctx.user.role
|
||||||
const isBuilder = role._id === BUILTIN_ROLE_IDS.BUILDER
|
|
||||||
const isAdmin = ADMIN_ROLES.includes(role._id)
|
const isAdmin = ADMIN_ROLES.includes(role._id)
|
||||||
const isAuthed = ctx.auth.authenticated
|
const isAuthed = ctx.auth.authenticated
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue