From 24721684772dce2db463c19d37b90c71cb22fd7f Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Thu, 12 Nov 2020 17:06:55 +0000 Subject: [PATCH] Tests failing but starting to progress. --- .../server/src/api/controllers/accesslevel.js | 24 ++----- packages/server/src/api/controllers/auth.js | 1 + .../server/src/api/controllers/routing.js | 3 + packages/server/src/api/controllers/user.js | 16 +++-- packages/server/src/api/index.js | 4 ++ packages/server/src/api/routes/index.js | 2 + packages/server/src/api/routes/routing.js | 10 +++ .../src/api/routes/tests/accesslevel.spec.js | 26 ++++---- .../src/api/routes/tests/couchTestUtils.js | 51 +++++--------- .../server/src/api/routes/tests/user.spec.js | 17 ++--- .../src/automations/steps/createUser.js | 4 +- packages/server/src/middleware/authorized.js | 20 ++++-- .../src/utilities/builder/setBuilderToken.js | 6 +- packages/server/src/utilities/permissions.js | 66 ------------------- .../src/utilities/security/accessLevels.js | 46 +++---------- .../src/utilities/security/permissions.js | 32 ++++++--- 16 files changed, 124 insertions(+), 204 deletions(-) create mode 100644 packages/server/src/api/controllers/routing.js create mode 100644 packages/server/src/api/routes/routing.js delete mode 100644 packages/server/src/utilities/permissions.js diff --git a/packages/server/src/api/controllers/accesslevel.js b/packages/server/src/api/controllers/accesslevel.js index 8c525ba52a..1a19309333 100644 --- a/packages/server/src/api/controllers/accesslevel.js +++ b/packages/server/src/api/controllers/accesslevel.js @@ -1,9 +1,8 @@ const CouchDB = require("../../db") +const { BUILTIN_LEVELS } = require("../../utilities/security/accessLevels") const { - generateAdminPermissions, - generatePowerUserPermissions, - BUILTIN_LEVELS, -} = require("../../utilities/security/accessLevels") + BUILTIN_PERMISSION_NAMES, +} = require("../../utilities/security/permissions") const { generateAccessLevelID, getAccessLevelParams, @@ -21,11 +20,11 @@ exports.fetch = async function(ctx) { const staticAccessLevels = [ { ...BUILTIN_LEVELS.admin, - permissions: await generateAdminPermissions(ctx.user.appId), + permissions: [BUILTIN_PERMISSION_NAMES.ADMIN], }, { ...BUILTIN_LEVELS.power, - permissions: await generatePowerUserPermissions(ctx.user.appId), + permissions: [BUILTIN_PERMISSION_NAMES.POWER], }, ] @@ -59,22 +58,13 @@ exports.patch = async function(ctx) { if (removedPermissions) { level.permissions = level.permissions.filter( - p => - !removedPermissions.some( - rem => rem.name === p.name && rem.itemId === p.itemId - ) + permission => removedPermissions.indexOf(permission) === -1 ) } if (addedPermissions) { level.permissions = [ - ...level.permissions.filter( - p => - !addedPermissions.some( - add => add.name === p.name && add.itemId === p.itemId - ) - ), - ...addedPermissions, + ...new Set([...addedPermissions, ...level.permissions]), ] } diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js index 2c162587b3..21136b0214 100644 --- a/packages/server/src/api/controllers/auth.js +++ b/packages/server/src/api/controllers/auth.js @@ -34,6 +34,7 @@ exports.authenticate = async ctx => { userId: dbUser._id, accessLevelId: dbUser.accessLevelId, version: app.version, + permissions: dbUser.permissions || [], } // if in cloud add the user api key if (env.CLOUD) { diff --git a/packages/server/src/api/controllers/routing.js b/packages/server/src/api/controllers/routing.js new file mode 100644 index 0000000000..ae3f949833 --- /dev/null +++ b/packages/server/src/api/controllers/routing.js @@ -0,0 +1,3 @@ +exports.fetch = async ctx => { + +} \ No newline at end of file diff --git a/packages/server/src/api/controllers/user.js b/packages/server/src/api/controllers/user.js index 7d460c1db6..08044d4754 100644 --- a/packages/server/src/api/controllers/user.js +++ b/packages/server/src/api/controllers/user.js @@ -1,9 +1,10 @@ const CouchDB = require("../../db") const bcrypt = require("../../utilities/bcrypt") const { generateUserID, getUserParams } = require("../../db/utils") +const { BUILTIN_LEVEL_IDS } = require("../../utilities/security/accessLevels") const { - BUILTIN_LEVELS_IDS, -} = require("../../utilities/security/accessLevels") + BUILTIN_PERMISSION_NAMES, +} = require("../../utilities/security/permissions") exports.fetch = async function(ctx) { const database = new CouchDB(ctx.user.appId) @@ -17,7 +18,13 @@ exports.fetch = async function(ctx) { exports.create = async function(ctx) { const db = new CouchDB(ctx.user.appId) - const { username, password, name, accessLevelId } = ctx.request.body + const { + username, + password, + name, + accessLevelId, + permissions, + } = ctx.request.body if (!username || !password) { ctx.throw(400, "Username and Password Required.") @@ -34,6 +41,7 @@ exports.create = async function(ctx) { name: name || username, type: "user", accessLevelId, + permissions: permissions || [BUILTIN_PERMISSION_NAMES.POWER], } try { @@ -88,7 +96,7 @@ exports.find = async function(ctx) { const checkAccessLevel = async (db, accessLevelId) => { if (!accessLevelId) return - if (BUILTIN_LEVELS_IDS.indexOf(accessLevelId) !== -1) { + if (BUILTIN_LEVEL_IDS.indexOf(accessLevelId) !== -1) { return { _id: accessLevelId, name: accessLevelId, diff --git a/packages/server/src/api/index.js b/packages/server/src/api/index.js index 4a4e80d1ed..0d25e08dee 100644 --- a/packages/server/src/api/index.js +++ b/packages/server/src/api/index.js @@ -22,6 +22,7 @@ const { templatesRoutes, analyticsRoutes, webhookRoutes, + routingRoutes, } = require("./routes") const router = new Router() @@ -121,6 +122,9 @@ router.use(analyticsRoutes.allowedMethods()) router.use(staticRoutes.routes()) router.use(staticRoutes.allowedMethods()) +router.use(routingRoutes.routes()) +router.use(routingRoutes.allowedMethods()) + router.redirect("/", "/_builder") module.exports = router diff --git a/packages/server/src/api/routes/index.js b/packages/server/src/api/routes/index.js index a19742097c..2352b2edc2 100644 --- a/packages/server/src/api/routes/index.js +++ b/packages/server/src/api/routes/index.js @@ -15,6 +15,7 @@ const deployRoutes = require("./deploy") const apiKeysRoutes = require("./apikeys") const templatesRoutes = require("./templates") const analyticsRoutes = require("./analytics") +const routingRoutes = require("./routing") module.exports = { deployRoutes, @@ -34,4 +35,5 @@ module.exports = { templatesRoutes, analyticsRoutes, webhookRoutes, + routingRoutes, } diff --git a/packages/server/src/api/routes/routing.js b/packages/server/src/api/routes/routing.js new file mode 100644 index 0000000000..f336e4ed67 --- /dev/null +++ b/packages/server/src/api/routes/routing.js @@ -0,0 +1,10 @@ +const Router = require("@koa/router") +const authorized = require("../../middleware/authorized") +const { BUILDER } = require("../../utilities/security/permissions") +const controller = require("../controllers/routing") + +const router = Router() + +router.post("/api/routing", authorized(BUILDER), controller.fetch) + +module.exports = router diff --git a/packages/server/src/api/routes/tests/accesslevel.spec.js b/packages/server/src/api/routes/tests/accesslevel.spec.js index 2fc4b54e20..01ca97664a 100644 --- a/packages/server/src/api/routes/tests/accesslevel.spec.js +++ b/packages/server/src/api/routes/tests/accesslevel.spec.js @@ -6,11 +6,7 @@ const { defaultHeaders } = require("./couchTestUtils") const { - generateAdminPermissions, - generatePowerUserPermissions, BUILTIN_LEVELS, - READ_TABLE, - WRITE_TABLE, } = require("../../../utilities/security/accessLevels") const { BUILTIN_PERMISSION_NAMES } = require("../../../utilities/security/permissions") @@ -76,14 +72,14 @@ describe("/accesslevels", () => { const adminLevel = res.body.find(r => r._id === BUILTIN_LEVELS.admin._id) expect(adminLevel).toBeDefined() - expect(adminLevel.permissions).toEqual(await generateAdminPermissions(appId)) + expect(adminLevel.permissions).toEqual([BUILTIN_PERMISSION_NAMES.ADMIN]) const powerUserLevel = res.body.find(r => r._id === BUILTIN_LEVELS.power._id) expect(powerUserLevel).toBeDefined() - expect(powerUserLevel.permissions).toEqual(await generatePowerUserPermissions(appId)) + expect(powerUserLevel.permissions).toEqual([BUILTIN_PERMISSION_NAMES.POWER]) const customLevelFetched = res.body.find(r => r._id === customLevel._id) - expect(customLevelFetched.permissions).toEqual(customLevel.permissions) + expect(customLevelFetched.permissions).toEqual([BUILTIN_PERMISSION_NAMES.READ_ONLY]) }) }); @@ -126,7 +122,7 @@ describe("/accesslevels", () => { .patch(`/api/accesslevels/${customLevel._id}`) .send({ _rev: customLevel._rev, - addedPermissions: [ { itemId: table._id, name: WRITE_TABLE } ] + addedPermissions: [ BUILTIN_PERMISSION_NAMES.WRITE ] }) .set(defaultHeaders(appId)) .expect('Content-Type', /json/) @@ -138,8 +134,8 @@ describe("/accesslevels", () => { .expect(200) expect(finalRes.body.permissions.length).toBe(2) - expect(finalRes.body.permissions.some(p => p.name === WRITE_TABLE)).toBe(true) - expect(finalRes.body.permissions.some(p => p.name === READ_TABLE)).toBe(true) + expect(finalRes.body.permissions.indexOf(BUILTIN_PERMISSION_NAMES.WRITE)).not.toBe(-1) + expect(finalRes.body.permissions.indexOf(BUILTIN_PERMISSION_NAMES.READ_ONLY)).not.toBe(-1) }) it("should remove given permissions", async () => { @@ -147,9 +143,9 @@ describe("/accesslevels", () => { .post(`/api/accesslevels`) .send({ name: "user", - permissions: [ - { itemId: table._id, name: READ_TABLE }, - { itemId: table._id, name: WRITE_TABLE }, + permissions: [ + BUILTIN_PERMISSION_NAMES.READ_ONLY, + BUILTIN_PERMISSION_NAMES.WRITE, ] }) .set(defaultHeaders(appId)) @@ -162,7 +158,7 @@ describe("/accesslevels", () => { .patch(`/api/accesslevels/${customLevel._id}`) .send({ _rev: customLevel._rev, - removedPermissions: [ { itemId: table._id, name: WRITE_TABLE }] + removedPermissions: [BUILTIN_PERMISSION_NAMES.WRITE] }) .set(defaultHeaders(appId)) .expect('Content-Type', /json/) @@ -174,7 +170,7 @@ describe("/accesslevels", () => { .expect(200) expect(finalRes.body.permissions.length).toBe(1) - expect(finalRes.body.permissions.some(p => p.name === READ_TABLE)).toBe(true) + expect(finalRes.body.permissions.indexOf(BUILTIN_PERMISSION_NAMES.READ_ONLY)).not.toBe(-1) }) }) }); diff --git a/packages/server/src/api/routes/tests/couchTestUtils.js b/packages/server/src/api/routes/tests/couchTestUtils.js index bbb2da903e..a3d01bfc6b 100644 --- a/packages/server/src/api/routes/tests/couchTestUtils.js +++ b/packages/server/src/api/routes/tests/couchTestUtils.js @@ -1,11 +1,11 @@ const CouchDB = require("../../../db") const supertest = require("supertest") const { - POWERUSER_LEVEL_ID, - ANON_LEVEL_ID, - BUILDER_LEVEL_ID, - generateAdminPermissions, + BUILTIN_LEVELS, } = require("../../../utilities/security/accessLevels") +const { + BUILTIN_PERMISSION_NAMES, +} = require("../../../utilities/security/permissions") const packageJson = require("../../../../package") const jwt = require("jsonwebtoken") const env = require("../../../environment") @@ -26,7 +26,7 @@ exports.supertest = async () => { exports.defaultHeaders = appId => { const builderUser = { userId: "BUILDER", - accessLevelId: BUILDER_LEVEL_ID, + accessLevelId: BUILTIN_LEVELS.builder._id, } const builderToken = jwt.sign(builderUser, env.JWT_SECRET) @@ -126,21 +126,13 @@ exports.createUser = async ( name: "Bill", username, password, - accessLevelId: POWERUSER_LEVEL_ID, + accessLevelId: BUILTIN_LEVELS.power._id, }) return res.body } -const createUserWithOnePermission = async ( - request, - appId, - permName, - itemId -) => { - let permissions = await generateAdminPermissions(appId) - permissions = permissions.filter( - p => p.name === permName && p.itemId === itemId - ) +const createUserWithOnePermission = async (request, appId, permName) => { + let permissions = [permName] return await createUserWithPermissions( request, @@ -151,7 +143,7 @@ const createUserWithOnePermission = async ( } const createUserWithAdminPermissions = async (request, appId) => { - let permissions = await generateAdminPermissions(appId) + let permissions = [BUILTIN_PERMISSION_NAMES.ADMIN] return await createUserWithPermissions( request, @@ -164,13 +156,9 @@ const createUserWithAdminPermissions = async (request, appId) => { const createUserWithAllPermissionExceptOne = async ( request, appId, - permName, - itemId + permName ) => { - let permissions = await generateAdminPermissions(appId) - permissions = permissions.filter( - p => !(p.name === permName && p.itemId === itemId) - ) + let permissions = [permName] return await createUserWithPermissions( request, @@ -186,11 +174,6 @@ const createUserWithPermissions = async ( permissions, username ) => { - const accessRes = await request - .post(`/api/accesslevels`) - .send({ name: "TestLevel", permissions }) - .set(exports.defaultHeaders(appId)) - const password = `password_${username}` await request .post(`/api/users`) @@ -199,12 +182,13 @@ const createUserWithPermissions = async ( name: username, username, password, - accessLevelId: accessRes.body._id, + accessLevelId: BUILTIN_LEVELS.power._id, + permissions, }) const anonUser = { userId: "ANON", - accessLevelId: ANON_LEVEL_ID, + accessLevelId: BUILTIN_LEVELS.anon._id, appId: appId, version: packageJson.version, } @@ -233,13 +217,11 @@ exports.testPermissionsForEndpoint = async ({ body, appId, permissionName, - itemId, }) => { const headers = await createUserWithOnePermission( request, appId, - permissionName, - itemId + permissionName ) await createRequest(request, method, url, body) @@ -249,8 +231,7 @@ exports.testPermissionsForEndpoint = async ({ const noPermsHeaders = await createUserWithAllPermissionExceptOne( request, appId, - permissionName, - itemId + permissionName ) await createRequest(request, method, url, body) diff --git a/packages/server/src/api/routes/tests/user.spec.js b/packages/server/src/api/routes/tests/user.spec.js index d0c12f2ea1..bd77c179b1 100644 --- a/packages/server/src/api/routes/tests/user.spec.js +++ b/packages/server/src/api/routes/tests/user.spec.js @@ -5,10 +5,11 @@ const { createUser, testPermissionsForEndpoint, } = require("./couchTestUtils") -const { - POWERUSER_LEVEL_ID, - LIST_USERS, - USER_MANAGEMENT +const { + BUILTIN_PERMISSION_NAMES, +} = require("../../../utilities/security/permissions") +const { + BUILTIN_LEVELS } = require("../../../utilities/security/accessLevels") describe("/users", () => { @@ -53,7 +54,7 @@ describe("/users", () => { method: "GET", url: `/api/users`, appId: appId, - permissionName: LIST_USERS, + permissionName: BUILTIN_PERMISSION_NAMES.WRITE, }) }) @@ -65,7 +66,7 @@ describe("/users", () => { const res = await request .post(`/api/users`) .set(defaultHeaders(appId)) - .send({ name: "Bill", username: "bill", password: "bills_password", accessLevelId: POWERUSER_LEVEL_ID }) + .send({ name: "Bill", username: "bill", password: "bills_password", accessLevelId: BUILTIN_LEVELS.power._id }) .expect(200) .expect('Content-Type', /json/) @@ -77,10 +78,10 @@ describe("/users", () => { await testPermissionsForEndpoint({ request, method: "POST", - body: { name: "brandNewUser", username: "brandNewUser", password: "yeeooo", accessLevelId: POWERUSER_LEVEL_ID }, + body: { name: "brandNewUser", username: "brandNewUser", password: "yeeooo", accessLevelId: BUILTIN_LEVELS.power._id }, url: `/api/users`, appId: appId, - permissionName: USER_MANAGEMENT, + permissionName: BUILTIN_PERMISSION_NAMES.WRITE, }) }) diff --git a/packages/server/src/automations/steps/createUser.js b/packages/server/src/automations/steps/createUser.js index d29144e01d..40f7d76a38 100644 --- a/packages/server/src/automations/steps/createUser.js +++ b/packages/server/src/automations/steps/createUser.js @@ -11,7 +11,7 @@ module.exports.definition = { type: "ACTION", stepId: "CREATE_USER", inputs: { - accessLevelId: accessLevels.POWERUSER_LEVEL_ID, + accessLevelId: accessLevels.BUILTIN_LEVELS.power._id, }, schema: { inputs: { @@ -29,7 +29,7 @@ module.exports.definition = { type: "string", title: "Access Level", enum: accessLevels.BUILTIN_LEVELS, - pretty: Object.values(accessLevels.PRETTY_ACCESS_LEVELS), + pretty: accessLevels.BUILTIN_LEVEL_NAMES, }, }, required: ["username", "password", "accessLevelId"], diff --git a/packages/server/src/middleware/authorized.js b/packages/server/src/middleware/authorized.js index 234c7d82fd..93ad57d071 100644 --- a/packages/server/src/middleware/authorized.js +++ b/packages/server/src/middleware/authorized.js @@ -1,5 +1,8 @@ const { BUILTIN_LEVELS } = require("../utilities/security/accessLevels") -const { PermissionTypes } = require("../utilities/security/permissions") +const { + PermissionTypes, + doesHavePermission, +} = require("../utilities/security/permissions") const env = require("../environment") const { apiKeyTable } = require("../db/dynamoClient") const { AuthTypes } = require("../constants") @@ -44,18 +47,21 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => { ctx.throw(403, "User not found") } - if (ADMIN_PERMS.indexOf(ctx.user.accessLevel._id) !== -1) { + const accessLevel = ctx.user.accessLevel + const permissions = ctx.user.permissions + if (ADMIN_PERMS.indexOf(accessLevel._id) !== -1) { return next() } + // TODO: need to handle routing security + if (permType === PermissionTypes.BUILDER) { ctx.throw(403, "Not Authorized") - return } - // TODO: Replace the old permissions system here, check whether - // user has permission to use endpoint they are trying to access - return next() + if (!doesHavePermission(permType, permLevel, permissions)) { + ctx.throw(403, "User does not have permission") + } - //ctx.throw(403, "Not Authorized") + return next() } diff --git a/packages/server/src/utilities/builder/setBuilderToken.js b/packages/server/src/utilities/builder/setBuilderToken.js index 56969f7d3a..982fe9ad09 100644 --- a/packages/server/src/utilities/builder/setBuilderToken.js +++ b/packages/server/src/utilities/builder/setBuilderToken.js @@ -1,4 +1,5 @@ -const { BUILDER_LEVEL_ID } = require("../security/accessLevels") +const { BUILTIN_LEVELS } = require("../security/accessLevels") +const { BUILTIN_PERMISSION_NAMES } = require("../security/permissions") const env = require("../../environment") const CouchDB = require("../../db") const jwt = require("jsonwebtoken") @@ -9,7 +10,8 @@ const APP_PREFIX = DocumentTypes.APP + SEPARATOR module.exports = async (ctx, appId, version) => { const builderUser = { userId: "BUILDER", - accessLevelId: BUILDER_LEVEL_ID, + accessLevelId: BUILTIN_LEVELS.builder._id, + permissions: [BUILTIN_PERMISSION_NAMES.ADMIN], version, } if (env.BUDIBASE_API_KEY) { diff --git a/packages/server/src/utilities/permissions.js b/packages/server/src/utilities/permissions.js deleted file mode 100644 index 3a161f6405..0000000000 --- a/packages/server/src/utilities/permissions.js +++ /dev/null @@ -1,66 +0,0 @@ -const viewController = require("../api/controllers/view") -const tableController = require("../api/controllers/table") -const automationController = require("../api/controllers/automation") -const accessLevels = require("./security/accessLevels") - -// this has been broken out to reduce risk of circular dependency from utilities, no enums defined here -const generateAdminPermissions = async appId => [ - ...accessLevels.adminPermissions, - ...(await generatePowerUserPermissions(appId)), -] - -const generatePowerUserPermissions = async appId => { - const fetchTablesCtx = { - user: { - appId, - }, - } - await tableController.fetch(fetchTablesCtx) - const tables = fetchTablesCtx.body - - const fetchViewsCtx = { - user: { - appId, - }, - } - await viewController.fetch(fetchViewsCtx) - const views = fetchViewsCtx.body - - const fetchAutomationsCtx = { - user: { - appId, - }, - } - await automationController.fetch(fetchAutomationsCtx) - const automations = fetchAutomationsCtx.body - - const readTablePermissions = tables.map(m => ({ - itemId: m._id, - name: accessLevels.READ_TABLE, - })) - - const writeTablePermissions = tables.map(m => ({ - itemId: m._id, - name: accessLevels.WRITE_TABLE, - })) - - const viewPermissions = views.map(v => ({ - itemId: v.name, - name: accessLevels.READ_VIEW, - })) - - const executeAutomationPermissions = automations.map(w => ({ - itemId: w._id, - name: accessLevels.EXECUTE_AUTOMATION, - })) - - return [ - ...readTablePermissions, - ...writeTablePermissions, - ...viewPermissions, - ...executeAutomationPermissions, - { name: accessLevels.LIST_USERS }, - ] -} -module.exports.generateAdminPermissions = generateAdminPermissions -module.exports.generatePowerUserPermissions = generatePowerUserPermissions diff --git a/packages/server/src/utilities/security/accessLevels.js b/packages/server/src/utilities/security/accessLevels.js index 77a2955261..48e088afb5 100644 --- a/packages/server/src/utilities/security/accessLevels.js +++ b/packages/server/src/utilities/security/accessLevels.js @@ -1,44 +1,14 @@ -const { DocumentTypes, SEPARATOR } = require("../../db/utils") - -function makeAccessLevelId(baseId) { - return `${DocumentTypes.ACCESS_LEVEL}${SEPARATOR}${baseId}` -} - -// Permissions -exports.READ_TABLE = "read-table" -exports.WRITE_TABLE = "write-table" -exports.READ_VIEW = "read-view" -exports.EXECUTE_AUTOMATION = "execute-automation" -exports.EXECUTE_WEBHOOK = "execute-webhook" -exports.USER_MANAGEMENT = "user-management" -exports.BUILDER = "builder" -exports.LIST_USERS = "list-users" -// Access Level IDs -exports.ADMIN_LEVEL_ID = "ADMIN" -exports.POWERUSER_LEVEL_ID = "POWER_USER" -exports.BUILDER_LEVEL_ID = "BUILDER" -exports.ANON_LEVEL_ID = "ANON" exports.BUILTIN_LEVELS = { - admin: { _id: makeAccessLevelId("ADMIN"), name: "Admin" }, - power: { _id: makeAccessLevelId("POWER_USER"), name: "Power user" }, - builder: { _id: makeAccessLevelId("BUILDER"), name: "Builder" }, - anon: { _id: makeAccessLevelId("ANON"), name: "Anonymous" }, + admin: { _id: "ADMIN", name: "Admin" }, + power: { _id: "POWER_USER", name: "Power user" }, + builder: { _id: "BUILDER", name: "Builder" }, + anon: { _id: "ANON", name: "Anonymous" }, } + exports.BUILTIN_LEVEL_IDS = Object.values(exports.BUILTIN_LEVELS).map( level => level._id ) -exports.PRETTY_ACCESS_LEVELS = { - [exports.ADMIN_LEVEL_ID]: "Admin", - [exports.POWERUSER_LEVEL_ID]: "Power user", - [exports.BUILDER_LEVEL_ID]: "Builder", -} -exports.adminPermissions = [ - { - name: exports.USER_MANAGEMENT, - }, -] -// to avoid circular dependencies this is included later, after exporting all enums -const permissions = require("../permissions") -exports.generateAdminPermissions = permissions.generateAdminPermissions -exports.generatePowerUserPermissions = permissions.generatePowerUserPermissions +exports.BUILTIN_LEVEL_NAMES = Object.values(exports.BUILTIN_LEVELS).map( + level => level.name +) diff --git a/packages/server/src/utilities/security/permissions.js b/packages/server/src/utilities/security/permissions.js index 7a230611c0..d19f31e393 100644 --- a/packages/server/src/utilities/security/permissions.js +++ b/packages/server/src/utilities/security/permissions.js @@ -1,14 +1,5 @@ const { flatten } = require("lodash") -exports.READ_TABLE = "read-table" -exports.WRITE_TABLE = "write-table" -exports.READ_VIEW = "read-view" -exports.EXECUTE_AUTOMATION = "execute-automation" -exports.EXECUTE_WEBHOOK = "execute-webhook" -exports.USER_MANAGEMENT = "user-management" -exports.BUILDER = "builder" -exports.LIST_USERS = "list-users" - const PermissionLevels = { READ: "read", WRITE: "write", @@ -54,10 +45,11 @@ function getAllowedLevels(userPermLevel) { } } -// TODO: need to expand on this exports.BUILTIN_PERMISSION_NAMES = { READ_ONLY: "read_only", WRITE: "write", + ADMIN: "admin", + POWER: "power", } exports.BUILTIN_PERMISSIONS = { @@ -75,6 +67,26 @@ exports.BUILTIN_PERMISSIONS = { new Permission(PermissionTypes.VIEW, PermissionLevels.READ), ], }, + POWER: { + name: exports.BUILTIN_PERMISSION_NAMES.POWER, + permissions: [ + new Permission(PermissionTypes.TABLE, PermissionLevels.WRITE), + new Permission(PermissionTypes.USER, PermissionLevels.READ), + new Permission(PermissionTypes.AUTOMATION, PermissionLevels.EXECUTE), + new Permission(PermissionTypes.VIEW, PermissionLevels.READ), + new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ), + ], + }, + ADMIN: { + name: exports.BUILTIN_PERMISSION_NAMES.ADMIN, + permissions: [ + new Permission(PermissionTypes.TABLE, PermissionLevels.ADMIN), + new Permission(PermissionTypes.USER, PermissionLevels.ADMIN), + new Permission(PermissionTypes.AUTOMATION, PermissionLevels.ADMIN), + new Permission(PermissionTypes.VIEW, PermissionLevels.ADMIN), + new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ), + ], + }, } exports.doesHavePermission = (permType, permLevel, userPermissionNames) => {