Adding a check for the tenant ID - to make sure it is a real tenant before forcing the user out of the platform based on it.
This commit is contained in:
parent
b7fe83ad17
commit
70d91acc41
|
@ -1,6 +1,6 @@
|
|||
<script>
|
||||
import { isActive, redirect, params } from "@roxi/routify"
|
||||
import { admin, auth, licensing } from "stores/portal"
|
||||
import { admin, auth, licensing, tenants } from "stores/portal"
|
||||
import { onMount } from "svelte"
|
||||
import { CookieUtils, Constants } from "@budibase/frontend-core"
|
||||
import { API } from "api"
|
||||
|
@ -41,6 +41,12 @@
|
|||
return
|
||||
}
|
||||
|
||||
// check if real tenant
|
||||
const info = await tenants.info(urlTenantId)
|
||||
if (!info.exists) {
|
||||
return
|
||||
}
|
||||
|
||||
if (urlTenantId && user.tenantId !== urlTenantId) {
|
||||
// user should not be here - play it safe and log them out
|
||||
try {
|
||||
|
|
|
@ -14,3 +14,4 @@ export { overview } from "./overview"
|
|||
export { environment } from "./environment"
|
||||
export { menu } from "./menu"
|
||||
export { auditLogs } from "./auditLogs"
|
||||
export { tenants } from "./tenants"
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
import { writable, get } from "svelte/store"
|
||||
import { API } from "api"
|
||||
|
||||
export function tenantsStore() {
|
||||
const store = writable({ tenantInfo: {} })
|
||||
|
||||
return {
|
||||
info: async tenantId => {
|
||||
const contents = get(store)
|
||||
const found = contents.tenantInfo[tenantId]
|
||||
if (found) {
|
||||
return found
|
||||
}
|
||||
const tenantInfo = await API.getTenantInfo(tenantId)
|
||||
store.update(state => {
|
||||
state.tenantInfo[tenantId] = tenantInfo
|
||||
return state
|
||||
})
|
||||
return tenantInfo
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
export const tenants = tenantsStore()
|
|
@ -29,6 +29,7 @@ import { buildBackupsEndpoints } from "./backups"
|
|||
import { buildEnvironmentVariableEndpoints } from "./environmentVariables"
|
||||
import { buildEventEndpoints } from "./events"
|
||||
import { buildAuditLogsEndpoints } from "./auditLogs"
|
||||
import { buildTenantEndpoints } from "./tenants"
|
||||
|
||||
const defaultAPIClientConfig = {
|
||||
/**
|
||||
|
@ -253,5 +254,6 @@ export const createAPIClient = config => {
|
|||
...buildEnvironmentVariableEndpoints(API),
|
||||
...buildEventEndpoints(API),
|
||||
...buildAuditLogsEndpoints(API),
|
||||
...buildTenantEndpoints(API),
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
export const buildTenantEndpoints = API => ({
|
||||
/**
|
||||
* Get information about a tenant
|
||||
*/
|
||||
getTenantInfo: async tenantId => {
|
||||
return await API.get({ url: `/api/system/tenants/${tenantId}/info` })
|
||||
},
|
||||
})
|
|
@ -17,3 +17,7 @@ export async function destroy(ctx: UserCtx) {
|
|||
throw err
|
||||
}
|
||||
}
|
||||
|
||||
export async function info(ctx: UserCtx) {
|
||||
ctx.body = await tenantSdk.tenantInfo(ctx.params.tenantId)
|
||||
}
|
||||
|
|
|
@ -10,4 +10,6 @@ router.delete(
|
|||
controller.destroy
|
||||
)
|
||||
|
||||
router.get("/api/system/tenants/:tenantId/info", controller.info)
|
||||
|
||||
export default router
|
||||
|
|
|
@ -58,4 +58,17 @@ describe("/api/global/tenants", () => {
|
|||
expect(res.body).toEqual(config.adminOnlyResponse())
|
||||
})
|
||||
})
|
||||
|
||||
describe("GET /api/system/tenants/:tenantId/info", () => {
|
||||
it("allows retrieving information about the tenant", async () => {
|
||||
const user1 = await config.createTenant()
|
||||
const res = await config.api.tenants.info(user1.tenantId)
|
||||
expect(res.body.exists).toEqual(true)
|
||||
})
|
||||
|
||||
it("check a tenant that doesn't exist", async () => {
|
||||
const res = await config.api.tenants.info("cannot-exist-tenantid")
|
||||
expect(res.body.exists).toEqual(false)
|
||||
})
|
||||
})
|
||||
})
|
||||
|
|
|
@ -74,3 +74,10 @@ async function removeTenantUsers(tenantId: string) {
|
|||
throw err
|
||||
}
|
||||
}
|
||||
|
||||
export async function tenantInfo(tenantId: string) {
|
||||
const globalDbName = tenancy.getGlobalDBName(tenantId)
|
||||
return {
|
||||
exists: await dbCore.dbExists(globalDbName),
|
||||
}
|
||||
}
|
||||
|
|
|
@ -2,8 +2,10 @@ import TestConfiguration from "../TestConfiguration"
|
|||
import { TestAPI, TestAPIOpts } from "./base"
|
||||
|
||||
export class TenantAPI extends TestAPI {
|
||||
config: TestConfiguration
|
||||
constructor(config: TestConfiguration) {
|
||||
super(config)
|
||||
this.config = config
|
||||
}
|
||||
|
||||
delete = (tenantId: string, opts?: TestAPIOpts) => {
|
||||
|
@ -12,4 +14,11 @@ export class TenantAPI extends TestAPI {
|
|||
.set(opts?.headers)
|
||||
.expect(opts?.status ? opts.status : 204)
|
||||
}
|
||||
|
||||
info = (tenantId: string) => {
|
||||
return this.request
|
||||
.get(`/api/system/tenants/${tenantId}/info`)
|
||||
.set(this.config.defaultHeaders())
|
||||
.expect(200)
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue