Adding a check for the tenant ID - to make sure it is a real tenant before forcing the user out of the platform based on it.

This commit is contained in:
mike12345567 2023-03-29 14:19:54 +01:00
parent b7fe83ad17
commit 70d91acc41
10 changed files with 77 additions and 1 deletions

View File

@ -1,6 +1,6 @@
<script>
import { isActive, redirect, params } from "@roxi/routify"
import { admin, auth, licensing } from "stores/portal"
import { admin, auth, licensing, tenants } from "stores/portal"
import { onMount } from "svelte"
import { CookieUtils, Constants } from "@budibase/frontend-core"
import { API } from "api"
@ -41,6 +41,12 @@
return
}
// check if real tenant
const info = await tenants.info(urlTenantId)
if (!info.exists) {
return
}
if (urlTenantId && user.tenantId !== urlTenantId) {
// user should not be here - play it safe and log them out
try {

View File

@ -14,3 +14,4 @@ export { overview } from "./overview"
export { environment } from "./environment"
export { menu } from "./menu"
export { auditLogs } from "./auditLogs"
export { tenants } from "./tenants"

View File

@ -0,0 +1,24 @@
import { writable, get } from "svelte/store"
import { API } from "api"
export function tenantsStore() {
const store = writable({ tenantInfo: {} })
return {
info: async tenantId => {
const contents = get(store)
const found = contents.tenantInfo[tenantId]
if (found) {
return found
}
const tenantInfo = await API.getTenantInfo(tenantId)
store.update(state => {
state.tenantInfo[tenantId] = tenantInfo
return state
})
return tenantInfo
},
}
}
export const tenants = tenantsStore()

View File

@ -29,6 +29,7 @@ import { buildBackupsEndpoints } from "./backups"
import { buildEnvironmentVariableEndpoints } from "./environmentVariables"
import { buildEventEndpoints } from "./events"
import { buildAuditLogsEndpoints } from "./auditLogs"
import { buildTenantEndpoints } from "./tenants"
const defaultAPIClientConfig = {
/**
@ -253,5 +254,6 @@ export const createAPIClient = config => {
...buildEnvironmentVariableEndpoints(API),
...buildEventEndpoints(API),
...buildAuditLogsEndpoints(API),
...buildTenantEndpoints(API),
}
}

View File

@ -0,0 +1,8 @@
export const buildTenantEndpoints = API => ({
/**
* Get information about a tenant
*/
getTenantInfo: async tenantId => {
return await API.get({ url: `/api/system/tenants/${tenantId}/info` })
},
})

View File

@ -17,3 +17,7 @@ export async function destroy(ctx: UserCtx) {
throw err
}
}
export async function info(ctx: UserCtx) {
ctx.body = await tenantSdk.tenantInfo(ctx.params.tenantId)
}

View File

@ -10,4 +10,6 @@ router.delete(
controller.destroy
)
router.get("/api/system/tenants/:tenantId/info", controller.info)
export default router

View File

@ -58,4 +58,17 @@ describe("/api/global/tenants", () => {
expect(res.body).toEqual(config.adminOnlyResponse())
})
})
describe("GET /api/system/tenants/:tenantId/info", () => {
it("allows retrieving information about the tenant", async () => {
const user1 = await config.createTenant()
const res = await config.api.tenants.info(user1.tenantId)
expect(res.body.exists).toEqual(true)
})
it("check a tenant that doesn't exist", async () => {
const res = await config.api.tenants.info("cannot-exist-tenantid")
expect(res.body.exists).toEqual(false)
})
})
})

View File

@ -74,3 +74,10 @@ async function removeTenantUsers(tenantId: string) {
throw err
}
}
export async function tenantInfo(tenantId: string) {
const globalDbName = tenancy.getGlobalDBName(tenantId)
return {
exists: await dbCore.dbExists(globalDbName),
}
}

View File

@ -2,8 +2,10 @@ import TestConfiguration from "../TestConfiguration"
import { TestAPI, TestAPIOpts } from "./base"
export class TenantAPI extends TestAPI {
config: TestConfiguration
constructor(config: TestConfiguration) {
super(config)
this.config = config
}
delete = (tenantId: string, opts?: TestAPIOpts) => {
@ -12,4 +14,11 @@ export class TenantAPI extends TestAPI {
.set(opts?.headers)
.expect(opts?.status ? opts.status : 204)
}
info = (tenantId: string) => {
return this.request
.get(`/api/system/tenants/${tenantId}/info`)
.set(this.config.defaultHeaders())
.expect(200)
}
}