Make new tables require ADMIN permissions to read and write.

packages/server/src/api/routes/tests/table.spec.ts

@@ -1,4 +1,4 @@
-import { context, docIds, events } from "@budibase/backend-core"
+import { context, docIds, events, roles } from "@budibase/backend-core"
 import {
   PROTECTED_EXTERNAL_COLUMNS,
   PROTECTED_INTERNAL_COLUMNS,
@@ -189,6 +189,13 @@ describe.each([
         )
       }
     )
+
+    it("should create tables with ADMIN read and write permissions", async () => {
+      const table = await config.api.table.save(tableForDatasource(datasource))
+      const { permissions } = await config.api.permission.get(table._id!)
+      expect(permissions.read.role).toEqual(roles.BUILTIN_ROLE_IDS.ADMIN)
+      expect(permissions.write.role).toEqual(roles.BUILTIN_ROLE_IDS.ADMIN)
+    })
   })
 
   describe("update", () => {

packages/server/src/utilities/security.ts

@@ -1,5 +1,6 @@
 import { permissions, roles } from "@budibase/backend-core"
 import { DocumentType, VirtualDocumentType } from "../db/utils"
+import { getDocumentType, getVirtualDocumentType } from "@budibase/types"
 
 export const CURRENTLY_SUPPORTED_LEVELS: string[] = [
   permissions.PermissionLevel.WRITE,
@@ -8,14 +9,16 @@ export const CURRENTLY_SUPPORTED_LEVELS: string[] = [
 ]
 
 export function getPermissionType(resourceId: string) {
-  const docType = Object.values(DocumentType).filter(docType =>
+  const virtualDocType = getVirtualDocumentType(resourceId)
-    resourceId.startsWith(docType)
+  switch (virtualDocType) {
-  )[0]
-  switch (docType as DocumentType | VirtualDocumentType) {
-    case DocumentType.TABLE:
-    case DocumentType.ROW:
     case VirtualDocumentType.VIEW:
       return permissions.PermissionType.TABLE
+  }
+
+  const docType = getDocumentType(resourceId)
+  switch (docType) {
+    case DocumentType.TABLE:
+    case DocumentType.ROW:
     case DocumentType.AUTOMATION:
       return permissions.PermissionType.AUTOMATION
     case DocumentType.WEBHOOK:
@@ -39,15 +42,18 @@ export function getBasePermissions(resourceId: string) {
     if (!role.permissionId) {
       continue
     }
+
     const perms = permissions.getBuiltinPermissionByID(role.permissionId)
     if (!perms) {
       continue
     }
+
     const typedPermission = perms.permissions.find(perm => perm.type === type)
-    if (
+    if (!typedPermission) {
-      typedPermission &&
+      continue
-      CURRENTLY_SUPPORTED_LEVELS.indexOf(typedPermission.level) !== -1
+    }
-    ) {
+
+    if (CURRENTLY_SUPPORTED_LEVELS.includes(typedPermission.level)) {
       const level = typedPermission.level
       basePermissions[level] = roles.lowerBuiltinRoleID(
         basePermissions[level],

packages/types/src/documents/document.ts

@@ -42,6 +42,17 @@ export enum DocumentType {
   ROW_ACTIONS = "ra",
 }
 
+// Because DocumentTypes can overlap, we need to make sure that we search
+// longest first to ensure we get the correct type.
+const sortedDocumentTypes = Object.values(DocumentType).sort(
+  (a, b) => b.length - a.length // descending
+)
+export function getDocumentType(id: string): DocumentType | undefined {
+  return sortedDocumentTypes.find(docType =>
+    id.startsWith(`${docType}${SEPARATOR}`)
+  )
+}
+
 // these are the core documents that make up the data, design
 // and automation sections of an app. This excludes any internal
 // rows as we shouldn't import data.
@@ -72,6 +83,19 @@ export enum VirtualDocumentType {
   ROW_ACTION = "row_action",
 }
 
+// Because VirtualDocumentTypes can overlap, we need to make sure that we search
+// longest first to ensure we get the correct type.
+const sortedVirtualDocumentTypes = Object.values(VirtualDocumentType).sort(
+  (a, b) => b.length - a.length // descending
+)
+export function getVirtualDocumentType(
+  id: string
+): VirtualDocumentType | undefined {
+  return sortedVirtualDocumentTypes.find(docType =>
+    id.startsWith(`${docType}${SEPARATOR}`)
+  )
+}
+
 export interface Document {
   _id?: string
   _rev?: string