From 7fb26408cf7ebd2eb253e469f285db8cf8a64ce3 Mon Sep 17 00:00:00 2001 From: Michael Drury Date: Thu, 19 Nov 2020 20:16:37 +0000 Subject: [PATCH] Minor update to make use of new client header to state the request is from the client, not the builder. --- .../server/src/api/controllers/routing.js | 5 ++--- .../server/src/middleware/authenticated.js | 19 ++++++++----------- packages/server/src/utilities/index.js | 4 ++++ .../src/utilities/security/accessLevels.js | 2 +- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/packages/server/src/api/controllers/routing.js b/packages/server/src/api/controllers/routing.js index 8d96863593..f068291ac3 100644 --- a/packages/server/src/api/controllers/routing.js +++ b/packages/server/src/api/controllers/routing.js @@ -62,11 +62,10 @@ exports.fetch = async ctx => { exports.clientFetch = async ctx => { const routing = await getRoutingStructure(ctx.appId) - const accessLevelId = ctx.user.accessLevel._id + let accessLevelId = ctx.user.accessLevel._id // builder is a special case, always return the full routing structure if (accessLevelId === BUILTIN_LEVEL_IDS.BUILDER) { - ctx.body = routing - return + accessLevelId = BUILTIN_LEVEL_IDS.ADMIN } const accessLevelIds = await getUserAccessLevelHierarchy( ctx.appId, diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js index b30e22f0e1..708b47c4f5 100644 --- a/packages/server/src/middleware/authenticated.js +++ b/packages/server/src/middleware/authenticated.js @@ -1,9 +1,9 @@ const jwt = require("jsonwebtoken") const STATUS_CODES = require("../utilities/statusCodes") -const { getAccessLevel } = require("../utilities/security/accessLevels") +const { getAccessLevel, BUILTIN_LEVELS } = require("../utilities/security/accessLevels") const env = require("../environment") const { AuthTypes } = require("../constants") -const { getAppId, getCookieName, setCookie } = require("../utilities") +const { getAppId, getCookieName, setCookie, isClient } = require("../utilities") module.exports = async (ctx, next) => { if (ctx.path === "/_builder") { @@ -21,17 +21,13 @@ module.exports = async (ctx, next) => { appId = cookieAppId } - const appToken = ctx.cookies.get(getCookieName(appId)) - const builderToken = ctx.cookies.get(getCookieName()) - let token - // if running locally in the builder itself - if (!env.CLOUD && !appToken) { - token = builderToken - ctx.auth.authenticated = AuthTypes.BUILDER - } else { - token = appToken + if (isClient(ctx)) { ctx.auth.authenticated = AuthTypes.APP + token = ctx.cookies.get(getCookieName(appId)) + } else { + ctx.auth.authenticated = AuthTypes.BUILDER + token = ctx.cookies.get(getCookieName()) } if (!token) { @@ -39,6 +35,7 @@ module.exports = async (ctx, next) => { ctx.appId = appId ctx.user = { appId, + accessLevel: BUILTIN_LEVELS.PUBLIC, } await next() return diff --git a/packages/server/src/utilities/index.js b/packages/server/src/utilities/index.js index 2a2ae81671..cde10b6b62 100644 --- a/packages/server/src/utilities/index.js +++ b/packages/server/src/utilities/index.js @@ -70,3 +70,7 @@ exports.setCookie = (ctx, name, value) => { overwrite: true, }) } + +exports.isClient = ctx => { + return ctx.headers["x-budibase-type"] === "client" +} diff --git a/packages/server/src/utilities/security/accessLevels.js b/packages/server/src/utilities/security/accessLevels.js index 578cd1e803..344dd20930 100644 --- a/packages/server/src/utilities/security/accessLevels.js +++ b/packages/server/src/utilities/security/accessLevels.js @@ -21,7 +21,7 @@ exports.BUILTIN_LEVELS = { ADMIN: new AccessLevel(BUILTIN_IDS.ADMIN, "Admin", BUILTIN_IDS.POWER), POWER: new AccessLevel(BUILTIN_IDS.POWER, "Power", BUILTIN_IDS.BASIC), BASIC: new AccessLevel(BUILTIN_IDS.BASIC, "Basic", BUILTIN_IDS.PUBLIC), - ANON: new AccessLevel(BUILTIN_IDS.PUBLIC, "Public"), + PUBLIC: new AccessLevel(BUILTIN_IDS.PUBLIC, "Public"), BUILDER: new AccessLevel(BUILTIN_IDS.BUILDER, "Builder"), }