From 24f8f3a7cbfe5d5aa30103f96e8491f757cac4f3 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Thu, 12 Jan 2023 15:38:22 +0000 Subject: [PATCH 01/23] Fix currentapp middleware to allow app_ parameters --- packages/server/src/middleware/currentapp.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/server/src/middleware/currentapp.ts b/packages/server/src/middleware/currentapp.ts index 2cd11aa438..593e96adcb 100644 --- a/packages/server/src/middleware/currentapp.ts +++ b/packages/server/src/middleware/currentapp.ts @@ -25,6 +25,7 @@ export default async (ctx: BBContext, next: any) => { if (!appCookie && !requestAppId) { return next() } + // check the app exists referenced in cookie if (appCookie) { const appId = appCookie.appId @@ -51,7 +52,7 @@ export default async (ctx: BBContext, next: any) => { let appId: string | undefined, roleId = roles.BUILTIN_ROLE_IDS.PUBLIC - if (!ctx.user) { + if (!ctx.user?._id) { // not logged in, try to set a cookie for public apps appId = requestAppId } else if (requestAppId != null) { @@ -96,7 +97,7 @@ export default async (ctx: BBContext, next: any) => { // need to judge this only based on the request app ID, if ( env.MULTI_TENANCY && - ctx.user && + ctx.user?._id && requestAppId && !tenancy.isUserInAppTenant(requestAppId, ctx.user) ) { From 09b4533cc8fb14f5da53e37e92cf0c57567b58b2 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Thu, 12 Jan 2023 16:26:46 +0000 Subject: [PATCH 02/23] Add endpoint to deactivate user from app on delete --- packages/server/src/api/controllers/user.ts | 32 +++++++++++++++++++++ packages/server/src/api/routes/user.ts | 5 ++++ 2 files changed, 37 insertions(+) diff --git a/packages/server/src/api/controllers/user.ts b/packages/server/src/api/controllers/user.ts index df64ffc7d0..f37af55ee0 100644 --- a/packages/server/src/api/controllers/user.ts +++ b/packages/server/src/api/controllers/user.ts @@ -173,3 +173,35 @@ export async function getFlags(ctx: BBContext) { } ctx.body = doc } + +export async function removeUserFromApp(ctx: BBContext) { + const { id: userId, prodAppId } = ctx.params + + const devAppId = dbCore.getDevelopmentAppID(prodAppId) + for (let appId of [prodAppId, devAppId]) { + if (!(await dbCore.dbExists(appId))) { + continue + } + await context.doInAppContext(appId, async () => { + const db = context.getAppDB() + const metadataId = generateUserMetadataID(userId) + let metadata + try { + metadata = await db.get(metadataId) + } catch (err) { + return + } + + let combined = { + ...metadata, + status: constants.UserStatus.INACTIVE, + metadata: rolesCore.BUILTIN_ROLE_IDS.PUBLIC, + } + + await db.put(combined) + }) + } + ctx.body = { + message: `User ${userId} deleted from ${prodAppId} and ${"devapp"}.`, + } +} diff --git a/packages/server/src/api/routes/user.ts b/packages/server/src/api/routes/user.ts index 14deb111e6..556954fd77 100644 --- a/packages/server/src/api/routes/user.ts +++ b/packages/server/src/api/routes/user.ts @@ -47,5 +47,10 @@ router authorized(PermissionType.USER, PermissionLevel.READ), controller.getFlags ) + .delete( + "/api/users/metadata/:id/app/:prodAppId", + authorized(PermissionType.USER, PermissionLevel.WRITE), + controller.removeUserFromApp + ) export default router From 09570e26f6e0ccf87c4f325c51ce04650aea470b Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Thu, 12 Jan 2023 16:28:02 +0000 Subject: [PATCH 03/23] Remove user within the app on deletion --- packages/worker/src/sdk/users/users.ts | 20 ++++++++++++++++++++ packages/worker/src/utilities/appService.ts | 11 +++++++++++ 2 files changed, 31 insertions(+) diff --git a/packages/worker/src/sdk/users/users.ts b/packages/worker/src/sdk/users/users.ts index f3117b63ab..cd3f0622d4 100644 --- a/packages/worker/src/sdk/users/users.ts +++ b/packages/worker/src/sdk/users/users.ts @@ -188,6 +188,10 @@ const validateUniqueUser = async (email: string, tenantId: string) => { } } +function instanceOfUser(user: User | ThirdPartyUser): user is User { + return !!(user as User).roles +} + export const save = async ( user: User | ThirdPartyUser, opts: SaveUserOpts = {} @@ -257,6 +261,17 @@ export const save = async ( } } + let appsToRemove: string[] = [] + if (dbUser && instanceOfUser(user)) { + const newRoles = Object.keys(user.roles) + const existingRoles = Object.keys(dbUser.roles) + + appsToRemove = existingRoles.filter(r => !newRoles.includes(r)) + if (appsToRemove.length) { + console.log("Deleting access to apps", { appsToRemove }) + } + } + try { // save the user to db let response = await db.put(builtUser) @@ -265,6 +280,11 @@ export const save = async ( await eventHelpers.handleSaveEvents(builtUser, dbUser) await addTenant(tenantId, _id, email) await cache.user.invalidateUser(response.id) + + for (const appId of appsToRemove) { + await apps.removeUserFromApp(_id, appId) + } + // let server know to sync user await apps.syncUserInApps(_id) diff --git a/packages/worker/src/utilities/appService.ts b/packages/worker/src/utilities/appService.ts index a0c4314f65..95a90aebc0 100644 --- a/packages/worker/src/utilities/appService.ts +++ b/packages/worker/src/utilities/appService.ts @@ -30,3 +30,14 @@ export async function syncUserInApps(userId: string) { throw "Unable to sync user." } } + +export async function removeUserFromApp(userId: string, appId: string) { + const response = await makeAppRequest( + `/api/users/metadata/${userId}/app/${appId}`, + "DELETE", + undefined + ) + if (response && response.status !== 200) { + throw "Unable to delete user from app." + } +} From 34cd26781bd0f59adf20f686b6b09aeac0bd25c5 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Fri, 13 Jan 2023 10:26:05 +0000 Subject: [PATCH 04/23] Delete instead of deactivating --- packages/server/src/api/controllers/user.ts | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/packages/server/src/api/controllers/user.ts b/packages/server/src/api/controllers/user.ts index f37af55ee0..5458d97f76 100644 --- a/packages/server/src/api/controllers/user.ts +++ b/packages/server/src/api/controllers/user.ts @@ -189,16 +189,11 @@ export async function removeUserFromApp(ctx: BBContext) { try { metadata = await db.get(metadataId) } catch (err) { + console.warn(`User cannot be found in the app`, { userId, appId }) return } - let combined = { - ...metadata, - status: constants.UserStatus.INACTIVE, - metadata: rolesCore.BUILTIN_ROLE_IDS.PUBLIC, - } - - await db.put(combined) + await db.remove(metadata) }) } ctx.body = { From 5477cf420aeb11361060c04164c97b88773cc49b Mon Sep 17 00:00:00 2001 From: melohagan <101575380+melohagan@users.noreply.github.com> Date: Fri, 13 Jan 2023 11:22:59 +0000 Subject: [PATCH 05/23] Allow primary keys to be foreign key (#9331) --- .../backend/Datasources/CreateEditRelationship.svelte | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/packages/builder/src/components/backend/Datasources/CreateEditRelationship.svelte b/packages/builder/src/components/backend/Datasources/CreateEditRelationship.svelte index 4defcbafab..ec39cc6d71 100644 --- a/packages/builder/src/components/backend/Datasources/CreateEditRelationship.svelte +++ b/packages/builder/src/components/backend/Datasources/CreateEditRelationship.svelte @@ -340,9 +340,7 @@ {:else if isManyToOne && toTable}