Formatting and adding routing checks to push the user out of admin menus when they are not an admin.

This commit is contained in:
mike12345567 2021-05-21 17:12:25 +01:00
parent 348c61a8c5
commit 59de40c4ef
9 changed files with 50 additions and 10 deletions

View File

@ -1,5 +1,12 @@
<script> <script>
import { redirect } from "@roxi/routify"
import { Page } from "@budibase/bbui" import { Page } from "@budibase/bbui"
import { auth } from "../../../../../stores/portal"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../../portal")
}
</script> </script>
<Page> <Page>

View File

@ -1,5 +1,12 @@
<script> <script>
import { email } from "stores/portal" import { redirect } from "@roxi/routify"
import { auth, email } from "stores/portal"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../../portal")
}
email.templates.fetch() email.templates.fetch()
</script> </script>

View File

@ -129,10 +129,10 @@
<div class="field"> <div class="field">
<Label size="L">Administration access</Label> <Label size="L">Administration access</Label>
<Toggle <Toggle
text="" text=""
value={$userFetch?.data?.admin?.global} value={$userFetch?.data?.admin?.global}
on:change={toggleAdminAccess} on:change={toggleAdminAccess}
disabled={toggleDisabled} disabled={toggleDisabled}
/> />
</div> </div>
{/if} {/if}

View File

@ -1,5 +1,12 @@
<script> <script>
import { Page } from "@budibase/bbui" import { Page } from "@budibase/bbui"
import { auth } from "../../../../../stores/portal"
import { redirect } from "@roxi/routify"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../../portal")
}
</script> </script>
<Page> <Page>

View File

@ -1,4 +1,4 @@
<script> <script>
import { goto } from "@roxi/routify" import { goto } from "@roxi/routify"
$goto("./general") $goto("./organisation")
</script> </script>

View File

@ -11,10 +11,16 @@
Dropzone, Dropzone,
notifications, notifications,
} from "@budibase/bbui" } from "@budibase/bbui"
import { organisation } from "stores/portal" import { auth, organisation } from "stores/portal"
import { post } from "builderStore/api" import { post } from "builderStore/api"
import analytics from "analytics" import analytics from "analytics"
import { writable } from "svelte/store" import { writable } from "svelte/store"
import { redirect } from "@roxi/routify"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../portal")
}
const values = writable({ const values = writable({
analytics: !analytics.disabled(), analytics: !analytics.disabled(),

View File

@ -5,19 +5,27 @@ export function createAuthStore() {
const user = writable(null) const user = writable(null)
const store = derived(user, $user => { const store = derived(user, $user => {
let initials = null let initials = null
let isAdmin = false
let isBuilder = false
if ($user) { if ($user) {
if ($user.firstName) { if ($user.firstName) {
initials = $user.firstName[0] initials = $user.firstName[0]
if ($user.lastName) { if ($user.lastName) {
initials += $user.lastName[0] initials += $user.lastName[0]
} }
} else { } else if ($user.email) {
initials = $user.email[0] initials = $user.email[0]
} else {
initials = "Unknown"
} }
isAdmin = !!$user.admin?.global
isBuilder = !!$user.builder?.global
} }
return { return {
user: $user, user: $user,
initials, initials,
isAdmin,
isBuilder,
} }
}) })
@ -29,6 +37,7 @@ export function createAuthStore() {
user.set(null) user.set(null)
} else { } else {
const json = await response.json() const json = await response.json()
console.log(json)
user.set(json) user.set(json)
} }
}, },

View File

@ -56,7 +56,6 @@ router
) )
.get("/api/admin/users", adminOnly, controller.fetch) .get("/api/admin/users", adminOnly, controller.fetch)
.delete("/api/admin/users/:id", adminOnly, controller.destroy) .delete("/api/admin/users/:id", adminOnly, controller.destroy)
.get("/api/admin/users/:id", adminOnly, controller.find)
.get("/api/admin/roles/:appId") .get("/api/admin/roles/:appId")
.post( .post(
"/api/admin/users/invite", "/api/admin/users/invite",
@ -77,5 +76,7 @@ router
) )
.post("/api/admin/users/init", controller.adminUser) .post("/api/admin/users/init", controller.adminUser)
.get("/api/admin/users/self", controller.getSelf) .get("/api/admin/users/self", controller.getSelf)
// admin endpoint but needs to come at end (blocks other endpoints otherwise)
.get("/api/admin/users/:id", adminOnly, controller.find)
module.exports = router module.exports = router

View File

@ -1,5 +1,8 @@
module.exports = async (ctx, next) => { module.exports = async (ctx, next) => {
if (!ctx.internal && (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) { if (
!ctx.internal &&
(!ctx.user || !ctx.user.admin || !ctx.user.admin.global)
) {
ctx.throw(403, "Admin user only endpoint.") ctx.throw(403, "Admin user only endpoint.")
} }
return next() return next()