From 59de40c4ef93c677cde7456f03575f17e685ae29 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Fri, 21 May 2021 17:12:25 +0100 Subject: [PATCH] Formatting and adding routing checks to push the user out of admin menus when they are not an admin. --- .../pages/builder/portal/manage/auth/_layout.svelte | 7 +++++++ .../pages/builder/portal/manage/email/_layout.svelte | 9 ++++++++- .../pages/builder/portal/manage/users/[userId].svelte | 8 ++++---- .../pages/builder/portal/manage/users/_layout.svelte | 7 +++++++ .../src/pages/builder/portal/settings/index.svelte | 2 +- .../pages/builder/portal/settings/organisation.svelte | 8 +++++++- packages/builder/src/stores/portal/auth.js | 11 ++++++++++- packages/worker/src/api/routes/admin/users.js | 3 ++- packages/worker/src/middleware/adminOnly.js | 5 ++++- 9 files changed, 50 insertions(+), 10 deletions(-) diff --git a/packages/builder/src/pages/builder/portal/manage/auth/_layout.svelte b/packages/builder/src/pages/builder/portal/manage/auth/_layout.svelte index f9c2067a94..12cbf48b22 100644 --- a/packages/builder/src/pages/builder/portal/manage/auth/_layout.svelte +++ b/packages/builder/src/pages/builder/portal/manage/auth/_layout.svelte @@ -1,5 +1,12 @@ diff --git a/packages/builder/src/pages/builder/portal/manage/email/_layout.svelte b/packages/builder/src/pages/builder/portal/manage/email/_layout.svelte index 188f0bb016..22e786bcb9 100644 --- a/packages/builder/src/pages/builder/portal/manage/email/_layout.svelte +++ b/packages/builder/src/pages/builder/portal/manage/email/_layout.svelte @@ -1,5 +1,12 @@ diff --git a/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte b/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte index b9cfe1cc7d..983b31168c 100644 --- a/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte +++ b/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte @@ -129,10 +129,10 @@
{/if} diff --git a/packages/builder/src/pages/builder/portal/manage/users/_layout.svelte b/packages/builder/src/pages/builder/portal/manage/users/_layout.svelte index f9c2067a94..8b8295d2a3 100644 --- a/packages/builder/src/pages/builder/portal/manage/users/_layout.svelte +++ b/packages/builder/src/pages/builder/portal/manage/users/_layout.svelte @@ -1,5 +1,12 @@ diff --git a/packages/builder/src/pages/builder/portal/settings/index.svelte b/packages/builder/src/pages/builder/portal/settings/index.svelte index 9e264e0583..57825a095b 100644 --- a/packages/builder/src/pages/builder/portal/settings/index.svelte +++ b/packages/builder/src/pages/builder/portal/settings/index.svelte @@ -1,4 +1,4 @@ diff --git a/packages/builder/src/pages/builder/portal/settings/organisation.svelte b/packages/builder/src/pages/builder/portal/settings/organisation.svelte index ec278fa0e4..938e48039e 100644 --- a/packages/builder/src/pages/builder/portal/settings/organisation.svelte +++ b/packages/builder/src/pages/builder/portal/settings/organisation.svelte @@ -11,10 +11,16 @@ Dropzone, notifications, } from "@budibase/bbui" - import { organisation } from "stores/portal" + import { auth, organisation } from "stores/portal" import { post } from "builderStore/api" import analytics from "analytics" import { writable } from "svelte/store" + import { redirect } from "@roxi/routify" + + // only admins allowed here + if (!$auth.isAdmin) { + $redirect("../../portal") + } const values = writable({ analytics: !analytics.disabled(), diff --git a/packages/builder/src/stores/portal/auth.js b/packages/builder/src/stores/portal/auth.js index 517aad9fc4..d0739f2a0f 100644 --- a/packages/builder/src/stores/portal/auth.js +++ b/packages/builder/src/stores/portal/auth.js @@ -5,19 +5,27 @@ export function createAuthStore() { const user = writable(null) const store = derived(user, $user => { let initials = null + let isAdmin = false + let isBuilder = false if ($user) { if ($user.firstName) { initials = $user.firstName[0] if ($user.lastName) { initials += $user.lastName[0] } - } else { + } else if ($user.email) { initials = $user.email[0] + } else { + initials = "Unknown" } + isAdmin = !!$user.admin?.global + isBuilder = !!$user.builder?.global } return { user: $user, initials, + isAdmin, + isBuilder, } }) @@ -29,6 +37,7 @@ export function createAuthStore() { user.set(null) } else { const json = await response.json() + console.log(json) user.set(json) } }, diff --git a/packages/worker/src/api/routes/admin/users.js b/packages/worker/src/api/routes/admin/users.js index 6a6654f5e6..f334f05e7d 100644 --- a/packages/worker/src/api/routes/admin/users.js +++ b/packages/worker/src/api/routes/admin/users.js @@ -56,7 +56,6 @@ router ) .get("/api/admin/users", adminOnly, controller.fetch) .delete("/api/admin/users/:id", adminOnly, controller.destroy) - .get("/api/admin/users/:id", adminOnly, controller.find) .get("/api/admin/roles/:appId") .post( "/api/admin/users/invite", @@ -77,5 +76,7 @@ router ) .post("/api/admin/users/init", controller.adminUser) .get("/api/admin/users/self", controller.getSelf) + // admin endpoint but needs to come at end (blocks other endpoints otherwise) + .get("/api/admin/users/:id", adminOnly, controller.find) module.exports = router diff --git a/packages/worker/src/middleware/adminOnly.js b/packages/worker/src/middleware/adminOnly.js index 8f56eb7943..4bfdf83848 100644 --- a/packages/worker/src/middleware/adminOnly.js +++ b/packages/worker/src/middleware/adminOnly.js @@ -1,5 +1,8 @@ module.exports = async (ctx, next) => { - if (!ctx.internal && (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) { + if ( + !ctx.internal && + (!ctx.user || !ctx.user.admin || !ctx.user.admin.global) + ) { ctx.throw(403, "Admin user only endpoint.") } return next()