Updating some route middleware security.
This commit is contained in:
parent
14d7ac5238
commit
0b7502ba7e
|
@ -3,14 +3,15 @@ const { QueryBuilder, buildSearchUrl, search } = require("./utils")
|
|||
exports.rowSearch = async ctx => {
|
||||
// this can't be done through pouch, have to reach for trusty node-fetch
|
||||
const appId = ctx.user.appId
|
||||
const bookmark = ctx.params.bookmark
|
||||
const { tableId } = ctx.params
|
||||
const { bookmark, query, raw } = ctx.request.body
|
||||
let url
|
||||
if (ctx.params.query) {
|
||||
url = new QueryBuilder(appId, ctx.params.query, bookmark).complete()
|
||||
} else if (ctx.params.raw) {
|
||||
if (query) {
|
||||
url = new QueryBuilder(appId, query, bookmark).addTable(tableId).complete()
|
||||
} else if (raw) {
|
||||
url = buildSearchUrl({
|
||||
appId,
|
||||
query: ctx.params.raw,
|
||||
query: raw,
|
||||
bookmark,
|
||||
})
|
||||
}
|
||||
|
|
|
@ -4,6 +4,7 @@ const controller = require("../controllers/auth")
|
|||
const router = Router()
|
||||
|
||||
router.post("/api/authenticate", controller.authenticate)
|
||||
// doesn't need authorization as can only fetch info about self
|
||||
router.get("/api/self", controller.fetchSelf)
|
||||
|
||||
module.exports = router
|
||||
|
|
|
@ -1,8 +1,19 @@
|
|||
const Router = require("@koa/router")
|
||||
const controller = require("../controllers/search")
|
||||
const {
|
||||
PermissionTypes,
|
||||
PermissionLevels,
|
||||
} = require("../../utilities/security/permissions")
|
||||
const authorized = require("../../middleware/authorized")
|
||||
const { paramResource } = require("../../middleware/resourceId")
|
||||
|
||||
const router = Router()
|
||||
|
||||
router.get("/api/search/rows", controller.rowSearch)
|
||||
router.post(
|
||||
"/api/search/:tableId/rows",
|
||||
paramResource("tableId"),
|
||||
authorized(PermissionTypes.TABLE, PermissionLevels.READ),
|
||||
controller.rowSearch
|
||||
)
|
||||
|
||||
module.exports = router
|
||||
|
|
|
@ -2,7 +2,11 @@ const Router = require("@koa/router")
|
|||
const controller = require("../controllers/static")
|
||||
const { budibaseTempDir } = require("../../utilities/budibaseDir")
|
||||
const authorized = require("../../middleware/authorized")
|
||||
const { BUILDER } = require("../../utilities/security/permissions")
|
||||
const {
|
||||
BUILDER,
|
||||
PermissionTypes,
|
||||
PermissionLevels,
|
||||
} = require("../../utilities/security/permissions")
|
||||
const usage = require("../../middleware/usageQuota")
|
||||
const env = require("../../environment")
|
||||
|
||||
|
@ -34,8 +38,14 @@ router
|
|||
// TODO: for now this builder endpoint is not authorized/secured, will need to be
|
||||
.get("/builder/:file*", controller.serveBuilder)
|
||||
.post("/api/attachments/process", authorized(BUILDER), controller.uploadFile)
|
||||
.post("/api/attachments/upload", usage, controller.uploadFile)
|
||||
.post(
|
||||
"/api/attachments/upload",
|
||||
authorized(PermissionTypes.TABLE, PermissionLevels.WRITE),
|
||||
usage,
|
||||
controller.uploadFile
|
||||
)
|
||||
.get("/componentlibrary", controller.serveComponentLibrary)
|
||||
// TODO: this likely needs to be secured in some way
|
||||
.get("/:appId/:path*", controller.serveApp)
|
||||
|
||||
module.exports = router
|
||||
|
|
|
@ -39,7 +39,6 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
|
|||
}
|
||||
|
||||
const role = ctx.user.role
|
||||
const isBuilder = role._id === BUILTIN_ROLE_IDS.BUILDER
|
||||
const isAdmin = ADMIN_ROLES.includes(role._id)
|
||||
const isAuthed = ctx.auth.authenticated
|
||||
|
||||
|
|
Loading…
Reference in New Issue