MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Check if resouce is allowed to change

This commit is contained in:
Adria Navarro 2023-08-21 17:56:19 +03:00
parent 28fac62239
commit 62579fab4e
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
packages/server/src/api/controllers/permission.ts
View File

@ -1,11 +1,12 @@
import { permissions, roles, context } from "@budibase/backend-core" import { permissions, roles, context, HTTPError } from "@budibase/backend-core"
import { UserCtx, Database, Role, PermissionLevel } from "@budibase/types"
import { getRoleParams } from "../../db/utils" import { getRoleParams } from "../../db/utils"
import { import {
CURRENTLY_SUPPORTED_LEVELS, CURRENTLY_SUPPORTED_LEVELS,
getBasePermissions, getBasePermissions,
} from "../../utilities/security" } from "../../utilities/security"
import { removeFromArray } from "../../utilities" import { removeFromArray } from "../../utilities"
import { UserCtx, Database, Role } from "@budibase/types" import sdk from "../../sdk"
const PermissionUpdateType = { const PermissionUpdateType = {
REMOVE: "remove", REMOVE: "remove",
@ -29,9 +30,21 @@ async function updatePermissionOnRole(
roleId, roleId,
resourceId, resourceId,
level, level,
}: { roleId: string; resourceId: string; level: string }, }: { roleId: string; resourceId: string; level: PermissionLevel },
updateType: string updateType: string
) { ) {
const allowedAction = await sdk.permissions.resourceActionAllowed({
resourceId,
level,
})
if (!allowedAction.allowed) {
throw new HTTPError(
`You are not allowed to '${allowedAction.level}' the resource type '${allowedAction.resourceType}'`,
403
)
}
const db = context.getAppDB() const db = context.getAppDB()
const remove = updateType === PermissionUpdateType.REMOVE const remove = updateType === PermissionUpdateType.REMOVE
const isABuiltin = roles.isBuiltin(roleId) const isABuiltin = roles.isBuiltin(roleId)