Merge pull request #11769 from Budibase/fix/BUDI-7258

Don't allow adding new users to user metadata table within apps
This commit is contained in:
Michael Drury 2023-09-19 16:02:40 +01:00 committed by GitHub
commit 3588984af2
3 changed files with 56 additions and 1 deletions

View File

@ -72,6 +72,11 @@ export const save = async (ctx: UserCtx<Row, Row>) => {
const tableId = utils.getTableId(ctx) const tableId = utils.getTableId(ctx)
const body = ctx.request.body const body = ctx.request.body
// user metadata doesn't exist yet - don't allow creation
if (utils.isUserMetadataTable(tableId) && !body._rev) {
ctx.throw(400, "Cannot create new user entry.")
}
// if it has an ID already then its a patch // if it has an ID already then its a patch
if (body && body._id) { if (body && body._id) {
return patch(ctx as UserCtx<PatchRowRequest, PatchRowResponse>) return patch(ctx as UserCtx<PatchRowRequest, PatchRowResponse>)

View File

@ -146,3 +146,36 @@ export async function validate({
} }
return { valid: Object.keys(errors).length === 0, errors } return { valid: Object.keys(errors).length === 0, errors }
} }
// don't do a pure falsy check, as 0 is included
// https://github.com/Budibase/budibase/issues/10118
export function removeEmptyFilters(filters: SearchFilters) {
for (let filterField of NoEmptyFilterStrings) {
if (!filters[filterField]) {
continue
}
for (let filterType of Object.keys(filters)) {
if (filterType !== filterField) {
continue
}
// don't know which one we're checking, type could be anything
const value = filters[filterType] as unknown
if (typeof value === "object") {
for (let [key, value] of Object.entries(
filters[filterType] as object
)) {
if (value == null || value === "") {
// @ts-ignore
delete filters[filterField][key]
}
}
}
}
}
return filters
}
export function isUserMetadataTable(tableId: string) {
return tableId === InternalTables.USER_METADATA
}

View File

@ -3,7 +3,7 @@ import { databaseTestProviders } from "../../../integrations/tests/utils"
import tk from "timekeeper" import tk from "timekeeper"
import { outputProcessing } from "../../../utilities/rowProcessor" import { outputProcessing } from "../../../utilities/rowProcessor"
import * as setup from "./utilities" import * as setup from "./utilities"
import { context, roles, tenancy } from "@budibase/backend-core" import { context, InternalTable, roles, tenancy } from "@budibase/backend-core"
import { quotas } from "@budibase/pro" import { quotas } from "@budibase/pro"
import { import {
FieldType, FieldType,
@ -1415,6 +1415,23 @@ describe.each([
}) })
}) })
isInternal &&
it("doesn't allow creating in user table", async () => {
const userTableId = InternalTable.USER_METADATA
const response = await config.api.row.save(
userTableId,
{
tableId: userTableId,
firstName: "Joe",
lastName: "Joe",
email: "joe@joe.com",
roles: {},
},
{ expectStatus: 400 }
)
expect(response.message).toBe("Cannot create new user entry.")
})
describe("permissions", () => { describe("permissions", () => {
let viewId: string let viewId: string
let tableId: string let tableId: string