Adding basic permissions test which proves a public user can read from a table, but cannot write.

This commit is contained in:
mike12345567 2021-02-09 17:24:36 +00:00
parent 9fb4c14835
commit 821de55363
5 changed files with 51 additions and 19 deletions

View File

@ -40,6 +40,17 @@ exports.defaultHeaders = appId => {
return headers return headers
} }
exports.publicHeaders = appId => {
const headers = {
Accept: "application/json",
}
if (appId) {
headers["x-budibase-app-id"] = appId
}
return headers
}
exports.BASE_TABLE = { exports.BASE_TABLE = {
name: "TestTable", name: "TestTable",
type: "table", type: "table",
@ -73,13 +84,17 @@ exports.createTable = async (request, appId, table, removeId = true) => {
return res.body return res.body
} }
exports.createRow = async (request, appId, tableId, row = null) => { exports.makeBasicRow = tableId => {
row = row || { return {
name: "Test Contact", name: "Test Contact",
description: "original description", description: "original description",
status: "new", status: "new",
tableId: tableId, tableId: tableId,
} }
}
exports.createRow = async (request, appId, tableId, row = null) => {
row = row || exports.makeBasicRow(tableId)
const res = await request const res = await request
.post(`/api/${tableId}/rows`) .post(`/api/${tableId}/rows`)
.send(row) .send(row)

View File

@ -5,6 +5,8 @@ const {
supertest, supertest,
defaultHeaders, defaultHeaders,
addPermission, addPermission,
publicHeaders,
makeBasicRow,
} = require("./couchTestUtils") } = require("./couchTestUtils")
const { BUILTIN_ROLE_IDS } = require("../../../utilities/security/roles") const { BUILTIN_ROLE_IDS } = require("../../../utilities/security/roles")
@ -102,7 +104,22 @@ describe("/permission", () => {
describe("check public user allowed", () => { describe("check public user allowed", () => {
it("should be able to read the row", async () => { it("should be able to read the row", async () => {
// TODO const res = await request
.get(`/api/${table._id}/rows`)
.set(publicHeaders(appId))
.expect("Content-Type", /json/)
.expect(200)
expect(res.body[0]._id).toEqual(row._id)
})
it("shouldn't allow writing from a public user", async () => {
const res = await request
.post(`/api/${table._id}/rows`)
.send(makeBasicRow(table._id))
.set(publicHeaders(appId))
.expect("Content-Type", /json/)
.expect(403)
expect(res.status).toEqual(403)
}) })
}) })
}) })

View File

@ -5,6 +5,7 @@ const {
defaultHeaders, defaultHeaders,
createLinkedTable, createLinkedTable,
createAttachmentTable, createAttachmentTable,
makeBasicRow,
} = require("./couchTestUtils"); } = require("./couchTestUtils");
const { enrichRows } = require("../../../utilities") const { enrichRows } = require("../../../utilities")
const env = require("../../../environment") const env = require("../../../environment")
@ -30,12 +31,7 @@ describe("/rows", () => {
app = await createApplication(request) app = await createApplication(request)
appId = app.instance._id appId = app.instance._id
table = await createTable(request, appId) table = await createTable(request, appId)
row = { row = makeBasicRow(table._id)
name: "Test Contact",
description: "original description",
status: "new",
tableId: table._id
}
}) })
const createRow = async r => const createRow = async r =>

View File

@ -43,12 +43,8 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
// don't expose builder endpoints in the cloud // don't expose builder endpoints in the cloud
if (env.CLOUD && permType === PermissionTypes.BUILDER) return if (env.CLOUD && permType === PermissionTypes.BUILDER) return
if (!ctx.auth.authenticated) {
ctx.throw(403, "Session not authenticated")
}
if (!ctx.user) { if (!ctx.user) {
ctx.throw(403, "User not found") ctx.throw(403, "No user info found")
} }
const role = ctx.user.role const role = ctx.user.role
@ -56,11 +52,15 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
ctx.appId, ctx.appId,
role._id role._id
) )
if (ADMIN_ROLES.indexOf(role._id) !== -1) { const isAdmin = ADMIN_ROLES.indexOf(role._id) !== -1
return next() const isAuthed = ctx.auth.authenticated
}
if (permType === PermissionTypes.BUILDER) { // this may need to change in the future, right now only admins
// can have access to builder features, this is hard coded into
// our rules
if (isAdmin && isAuthed) {
return next()
} else if (permType === PermissionTypes.BUILDER) {
ctx.throw(403, "Not Authorized") ctx.throw(403, "Not Authorized")
} }
@ -71,6 +71,10 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
return next() return next()
} }
if (!isAuthed) {
ctx.throw(403, "Session not authenticated")
}
if (!doesHaveBasePermission(permType, permLevel, basePermissions)) { if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {
ctx.throw(403, "User does not have permission") ctx.throw(403, "User does not have permission")
} }

View File

@ -77,7 +77,7 @@ exports.getRole = async (appId, roleId) => {
} }
try { try {
const db = new CouchDB(appId) const db = new CouchDB(appId)
const dbRole = await db.get(roleId) const dbRole = await db.get(exports.getDBRoleID(roleId))
role = Object.assign(role, dbRole) role = Object.assign(role, dbRole)
// finalise the ID // finalise the ID
role._id = exports.getExternalRoleID(role._id) role._id = exports.getExternalRoleID(role._id)