Formatting and adding routing checks to push the user out of admin menus when they are not an admin.

2021-05-21 17:12:25 +01:00 · 2021-05-21 17:12:25 +01:00 · 59de40c4ef
parent 348c61a8c5
commit 59de40c4ef
9 changed files with 50 additions and 10 deletions
--- a/packages/builder/src/pages/builder/portal/manage/auth/_layout.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/auth/_layout.svelte
@ -1,5 +1,12 @@
 <script>
+  import { redirect } from "@roxi/routify"
  import { Page } from "@budibase/bbui"
+  import { auth } from "../../../../../stores/portal"
+
+  // only admins allowed here
+  if (!$auth.isAdmin) {
+    $redirect("../../../portal")
+  }
 </script>

 <Page>
--- a/packages/builder/src/pages/builder/portal/manage/email/_layout.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/email/_layout.svelte
@ -1,5 +1,12 @@
 <script>
-  import { email } from "stores/portal"
+  import { redirect } from "@roxi/routify"
+  import { auth, email } from "stores/portal"
+
+  // only admins allowed here
+  if (!$auth.isAdmin) {
+    $redirect("../../../portal")
+  }
+
  email.templates.fetch()
 </script>

--- a/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte
+++ b/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte
@ -129,10 +129,10 @@
        <div class="field">
          <Label size="L">Administration access</Label>
          <Toggle
-              text=""
-              value={$userFetch?.data?.admin?.global}
-              on:change={toggleAdminAccess}
-              disabled={toggleDisabled}
+            text=""
+            value={$userFetch?.data?.admin?.global}
+            on:change={toggleAdminAccess}
+            disabled={toggleDisabled}
          />
        </div>
      {/if}
--- a/packages/builder/src/pages/builder/portal/manage/users/_layout.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/users/_layout.svelte
@ -1,5 +1,12 @@
 <script>
  import { Page } from "@budibase/bbui"
+  import { auth } from "../../../../../stores/portal"
+  import { redirect } from "@roxi/routify"
+
+  // only admins allowed here
+  if (!$auth.isAdmin) {
+    $redirect("../../../portal")
+  }
 </script>

 <Page>
--- a/packages/builder/src/pages/builder/portal/settings/index.svelte
+++ b/packages/builder/src/pages/builder/portal/settings/index.svelte
@ -1,4 +1,4 @@
 <script>
  import { goto } from "@roxi/routify"
-  $goto("./general")
+  $goto("./organisation")
 </script>
--- a/packages/builder/src/pages/builder/portal/settings/organisation.svelte
+++ b/packages/builder/src/pages/builder/portal/settings/organisation.svelte
@ -11,10 +11,16 @@
    Dropzone,
    notifications,
  } from "@budibase/bbui"
-  import { organisation } from "stores/portal"
+  import { auth, organisation } from "stores/portal"
  import { post } from "builderStore/api"
  import analytics from "analytics"
  import { writable } from "svelte/store"
+  import { redirect } from "@roxi/routify"
+
+  // only admins allowed here
+  if (!$auth.isAdmin) {
+    $redirect("../../portal")
+  }

  const values = writable({
    analytics: !analytics.disabled(),
--- a/packages/builder/src/stores/portal/auth.js
+++ b/packages/builder/src/stores/portal/auth.js
@ -5,19 +5,27 @@ export function createAuthStore() {
  const user = writable(null)
  const store = derived(user, $user => {
    let initials = null
+    let isAdmin = false
+    let isBuilder = false
    if ($user) {
      if ($user.firstName) {
        initials = $user.firstName[0]
        if ($user.lastName) {
          initials += $user.lastName[0]
        }
-      } else {
+      } else if ($user.email) {
        initials = $user.email[0]
+      } else {
+        initials = "Unknown"
      }
+      isAdmin = !!$user.admin?.global
+      isBuilder = !!$user.builder?.global
    }
    return {
      user: $user,
      initials,
+      isAdmin,
+      isBuilder,
    }
  })

@ -29,6 +37,7 @@ export function createAuthStore() {
        user.set(null)
      } else {
        const json = await response.json()
+        console.log(json)
        user.set(json)
      }
    },
--- a/packages/worker/src/api/routes/admin/users.js
+++ b/packages/worker/src/api/routes/admin/users.js
@ -56,7 +56,6 @@ router
  )
  .get("/api/admin/users", adminOnly, controller.fetch)
  .delete("/api/admin/users/:id", adminOnly, controller.destroy)
-  .get("/api/admin/users/:id", adminOnly, controller.find)
  .get("/api/admin/roles/:appId")
  .post(
    "/api/admin/users/invite",
@ -77,5 +76,7 @@ router
  )
  .post("/api/admin/users/init", controller.adminUser)
  .get("/api/admin/users/self", controller.getSelf)
+  // admin endpoint but needs to come at end (blocks other endpoints otherwise)
+  .get("/api/admin/users/:id", adminOnly, controller.find)

 module.exports = router
--- a/packages/worker/src/middleware/adminOnly.js
+++ b/packages/worker/src/middleware/adminOnly.js
@ -1,5 +1,8 @@
 module.exports = async (ctx, next) => {
-  if (!ctx.internal && (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) {
+  if (
+    !ctx.internal &&
+    (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)
+  ) {
    ctx.throw(403, "Admin user only endpoint.")
  }
  return next()