Updating some route middleware security.

This commit is contained in:
mike12345567 2021-04-01 14:38:31 +01:00
parent 14d7ac5238
commit 0b7502ba7e
5 changed files with 31 additions and 9 deletions

View File

@ -3,14 +3,15 @@ const { QueryBuilder, buildSearchUrl, search } = require("./utils")
exports.rowSearch = async ctx => {
// this can't be done through pouch, have to reach for trusty node-fetch
const appId = ctx.user.appId
const bookmark = ctx.params.bookmark
const { tableId } = ctx.params
const { bookmark, query, raw } = ctx.request.body
let url
if (ctx.params.query) {
url = new QueryBuilder(appId, ctx.params.query, bookmark).complete()
} else if (ctx.params.raw) {
if (query) {
url = new QueryBuilder(appId, query, bookmark).addTable(tableId).complete()
} else if (raw) {
url = buildSearchUrl({
appId,
query: ctx.params.raw,
query: raw,
bookmark,
})
}

View File

@ -4,6 +4,7 @@ const controller = require("../controllers/auth")
const router = Router()
router.post("/api/authenticate", controller.authenticate)
// doesn't need authorization as can only fetch info about self
router.get("/api/self", controller.fetchSelf)
module.exports = router

View File

@ -1,8 +1,19 @@
const Router = require("@koa/router")
const controller = require("../controllers/search")
const {
PermissionTypes,
PermissionLevels,
} = require("../../utilities/security/permissions")
const authorized = require("../../middleware/authorized")
const { paramResource } = require("../../middleware/resourceId")
const router = Router()
router.get("/api/search/rows", controller.rowSearch)
router.post(
"/api/search/:tableId/rows",
paramResource("tableId"),
authorized(PermissionTypes.TABLE, PermissionLevels.READ),
controller.rowSearch
)
module.exports = router

View File

@ -2,7 +2,11 @@ const Router = require("@koa/router")
const controller = require("../controllers/static")
const { budibaseTempDir } = require("../../utilities/budibaseDir")
const authorized = require("../../middleware/authorized")
const { BUILDER } = require("../../utilities/security/permissions")
const {
BUILDER,
PermissionTypes,
PermissionLevels,
} = require("../../utilities/security/permissions")
const usage = require("../../middleware/usageQuota")
const env = require("../../environment")
@ -34,8 +38,14 @@ router
// TODO: for now this builder endpoint is not authorized/secured, will need to be
.get("/builder/:file*", controller.serveBuilder)
.post("/api/attachments/process", authorized(BUILDER), controller.uploadFile)
.post("/api/attachments/upload", usage, controller.uploadFile)
.post(
"/api/attachments/upload",
authorized(PermissionTypes.TABLE, PermissionLevels.WRITE),
usage,
controller.uploadFile
)
.get("/componentlibrary", controller.serveComponentLibrary)
// TODO: this likely needs to be secured in some way
.get("/:appId/:path*", controller.serveApp)
module.exports = router

View File

@ -39,7 +39,6 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
}
const role = ctx.user.role
const isBuilder = role._id === BUILTIN_ROLE_IDS.BUILDER
const isAdmin = ADMIN_ROLES.includes(role._id)
const isAuthed = ctx.auth.authenticated