From 3405e6d6b7ac795398b03d720267a0804c2d46f1 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Fri, 4 Oct 2024 16:12:01 +0100 Subject: [PATCH] Make new tables require ADMIN permissions to read and write. --- .../server/src/api/routes/tests/table.spec.ts | 9 ++++++- packages/server/src/utilities/security.ts | 26 ++++++++++++------- packages/types/src/documents/document.ts | 24 +++++++++++++++++ 3 files changed, 48 insertions(+), 11 deletions(-) diff --git a/packages/server/src/api/routes/tests/table.spec.ts b/packages/server/src/api/routes/tests/table.spec.ts index d6c1651ef0..f82476d412 100644 --- a/packages/server/src/api/routes/tests/table.spec.ts +++ b/packages/server/src/api/routes/tests/table.spec.ts @@ -1,4 +1,4 @@ -import { context, docIds, events } from "@budibase/backend-core" +import { context, docIds, events, roles } from "@budibase/backend-core" import { PROTECTED_EXTERNAL_COLUMNS, PROTECTED_INTERNAL_COLUMNS, @@ -189,6 +189,13 @@ describe.each([ ) } ) + + it("should create tables with ADMIN read and write permissions", async () => { + const table = await config.api.table.save(tableForDatasource(datasource)) + const { permissions } = await config.api.permission.get(table._id!) + expect(permissions.read.role).toEqual(roles.BUILTIN_ROLE_IDS.ADMIN) + expect(permissions.write.role).toEqual(roles.BUILTIN_ROLE_IDS.ADMIN) + }) }) describe("update", () => { diff --git a/packages/server/src/utilities/security.ts b/packages/server/src/utilities/security.ts index 01a3468c9c..40dba465f1 100644 --- a/packages/server/src/utilities/security.ts +++ b/packages/server/src/utilities/security.ts @@ -1,5 +1,6 @@ import { permissions, roles } from "@budibase/backend-core" import { DocumentType, VirtualDocumentType } from "../db/utils" +import { getDocumentType, getVirtualDocumentType } from "@budibase/types" export const CURRENTLY_SUPPORTED_LEVELS: string[] = [ permissions.PermissionLevel.WRITE, @@ -8,14 +9,16 @@ export const CURRENTLY_SUPPORTED_LEVELS: string[] = [ ] export function getPermissionType(resourceId: string) { - const docType = Object.values(DocumentType).filter(docType => - resourceId.startsWith(docType) - )[0] - switch (docType as DocumentType | VirtualDocumentType) { - case DocumentType.TABLE: - case DocumentType.ROW: + const virtualDocType = getVirtualDocumentType(resourceId) + switch (virtualDocType) { case VirtualDocumentType.VIEW: return permissions.PermissionType.TABLE + } + + const docType = getDocumentType(resourceId) + switch (docType) { + case DocumentType.TABLE: + case DocumentType.ROW: case DocumentType.AUTOMATION: return permissions.PermissionType.AUTOMATION case DocumentType.WEBHOOK: @@ -39,15 +42,18 @@ export function getBasePermissions(resourceId: string) { if (!role.permissionId) { continue } + const perms = permissions.getBuiltinPermissionByID(role.permissionId) if (!perms) { continue } + const typedPermission = perms.permissions.find(perm => perm.type === type) - if ( - typedPermission && - CURRENTLY_SUPPORTED_LEVELS.indexOf(typedPermission.level) !== -1 - ) { + if (!typedPermission) { + continue + } + + if (CURRENTLY_SUPPORTED_LEVELS.includes(typedPermission.level)) { const level = typedPermission.level basePermissions[level] = roles.lowerBuiltinRoleID( basePermissions[level], diff --git a/packages/types/src/documents/document.ts b/packages/types/src/documents/document.ts index f5facfae9d..2f0da1081a 100644 --- a/packages/types/src/documents/document.ts +++ b/packages/types/src/documents/document.ts @@ -42,6 +42,17 @@ export enum DocumentType { ROW_ACTIONS = "ra", } +// Because DocumentTypes can overlap, we need to make sure that we search +// longest first to ensure we get the correct type. +const sortedDocumentTypes = Object.values(DocumentType).sort( + (a, b) => b.length - a.length // descending +) +export function getDocumentType(id: string): DocumentType | undefined { + return sortedDocumentTypes.find(docType => + id.startsWith(`${docType}${SEPARATOR}`) + ) +} + // these are the core documents that make up the data, design // and automation sections of an app. This excludes any internal // rows as we shouldn't import data. @@ -72,6 +83,19 @@ export enum VirtualDocumentType { ROW_ACTION = "row_action", } +// Because VirtualDocumentTypes can overlap, we need to make sure that we search +// longest first to ensure we get the correct type. +const sortedVirtualDocumentTypes = Object.values(VirtualDocumentType).sort( + (a, b) => b.length - a.length // descending +) +export function getVirtualDocumentType( + id: string +): VirtualDocumentType | undefined { + return sortedVirtualDocumentTypes.find(docType => + id.startsWith(`${docType}${SEPARATOR}`) + ) +} + export interface Document { _id?: string _rev?: string