Use middleware for checks

2023-07-31 10:38:31 +02:00 · 2023-07-31 10:38:31 +02:00 · 7a9a997d73
parent 5cfddabac7
commit 7a9a997d73
3 changed files with 22 additions and 8 deletions
--- a/packages/server/src/api/controllers/row/index.ts
+++ b/packages/server/src/api/controllers/row/index.ts
@ -35,10 +35,6 @@ export async function patch(
  const tableId = utils.getTableId(ctx)
  const body = ctx.request.body

-  if (body._viewId) {
-    ctx.throw(400, "Table row endpoints cannot contain view info")
-  }
-
  // if it doesn't have an _id then its save
  if (body && !body._id) {
    return save(ctx)
@ -69,10 +65,6 @@ export const save = async (ctx: UserCtx<Row, Row>) => {
  const tableId = utils.getTableId(ctx)
  const body = ctx.request.body

-  if (body._viewId) {
-    ctx.throw(400, "Table row endpoints cannot contain view info")
-  }
-
  // if it has an ID already then its a patch
  if (body && body._id) {
    return patch(ctx as UserCtx<PatchRowRequest, PatchRowResponse>)
--- a/packages/server/src/api/routes/row.ts
+++ b/packages/server/src/api/routes/row.ts
@ -4,6 +4,7 @@ import authorized from "../../middleware/authorized"
 import { paramResource, paramSubResource } from "../../middleware/resourceId"
 import { permissions } from "@budibase/backend-core"
 import { internalSearchValidator } from "./utils/validators"
+import guardViewRowInfo from "../../middleware/guardViewRowInfo"
 const { PermissionType, PermissionLevel } = permissions

 const router: Router = new Router()
@ -174,6 +175,7 @@ router
    "/api/:tableId/rows",
    paramResource("tableId"),
    authorized(PermissionType.TABLE, PermissionLevel.WRITE),
+    guardViewRowInfo(),
    rowController.save
  )
  /**
@ -188,6 +190,7 @@ router
    "/api/:tableId/rows",
    paramResource("tableId"),
    authorized(PermissionType.TABLE, PermissionLevel.WRITE),
+    guardViewRowInfo(),
    rowController.patch
  )
  /**
@ -294,4 +297,11 @@ router
   * @apiSuccess {string} [_rev] If saving to an internal table a revision will also be returned.
   * @apiSuccess {object} body The contents of the row that was saved will be returned as well.
   */
+  .post(
+    "/api/v2/views/:viewId/rows",
+    paramResource("viewId"),
+    authorized(PermissionType.VIEW, PermissionLevel.WRITE),
+    rowController.views.save
+  )
+
 export default router
--- a/packages/server/src/middleware/guardViewRowInfo.ts
+++ b/packages/server/src/middleware/guardViewRowInfo.ts
@ -0,0 +1,12 @@
+import { Ctx, Row } from "@budibase/types"
+
+const checkNoViewData = async (ctx: Ctx<Row>) => {
+  if (ctx.request.body._viewId) {
+    ctx.throw(400, "Table row endpoints cannot contain view info")
+  }
+}
+
+export default () => async (ctx: any, next: any) => {
+  await checkNoViewData(ctx)
+  return next()
+}