Merge branch 'develop' of github.com:Budibase/budibase into views-v2-frontend

.github/workflows/budibase_ci.yml

@@ -154,7 +154,7 @@ jobs:
           node-version: 14.x
           cache: "yarn"
       - run: yarn
-      - run: yarn build
+      - run: yarn build --projects=@budibase/server,@budibase/worker,@budibase/client
       - name: Run tests
         run: |
           cd qa-core

.gitignore

@@ -101,8 +101,6 @@ packages/builder/cypress.env.json
 packages/builder/cypress/reports
 stats.html
 
-# TypeScript cache
-*.tsbuildinfo
 
 # plugins
 budibase-component

lerna.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.8.29-alpha.9",
+  "version": "2.8.29-alpha.14",
   "npmClient": "yarn",
   "packages": [
     "packages/*"

nx.json

@@ -3,19 +3,10 @@
     "default": {
       "runner": "nx-cloud",
       "options": {
-        "cacheableOperations": ["build", "test"],
+        "cacheableOperations": ["build", "test", "check:types"],
         "accessToken": "MmM4OGYxNzItMDBlYy00ZmE3LTk4MTYtNmJhYWMyZjBjZTUyfHJlYWQ="
       }
     }
   },
-  "targetDefaults": {
+  "targetDefaults": {}
-    "dev:builder": {
-      "dependsOn": [
-        {
-          "projects": ["@budibase/string-templates"],
-          "target": "build"
-        }
-      ]
-    }
-  }
 }

package.json

@@ -36,7 +36,7 @@
     "bootstrap": "./scripts/link-dependencies.sh && echo '***BOOTSTRAP ONLY REQUIRED FOR USE WITH ACCOUNT PORTAL***'",
     "build": "yarn nx run-many -t=build",
     "build:dev": "lerna run --stream prebuild && yarn nx run-many --target=build --output-style=dynamic --watch --preserveWatchOutput",
-    "check:types": "lerna run check:types --skip-nx-cache",
+    "check:types": "lerna run check:types",
     "backend:bootstrap": "./scripts/scopeBackend.sh && yarn run bootstrap",
     "backend:build": "./scripts/scopeBackend.sh 'lerna run --stream build'",
     "build:sdk": "lerna run --stream build:sdk",
@@ -51,9 +51,9 @@
     "kill-builder": "kill-port 3000",
     "kill-server": "kill-port 4001 4002",
     "kill-all": "yarn run kill-builder && yarn run kill-server",
-    "dev": "yarn run kill-all && lerna run --stream --parallel dev:builder",
+    "dev": "yarn run kill-all && lerna run --stream dev:builder",
-    "dev:noserver": "yarn run kill-builder && lerna run --stream dev:stack:up && lerna run --stream --parallel dev:builder --ignore @budibase/backend-core --ignore @budibase/server --ignore @budibase/worker",
+    "dev:noserver": "yarn run kill-builder && lerna run --stream dev:stack:up && lerna run --stream dev:builder --ignore @budibase/backend-core --ignore @budibase/server --ignore @budibase/worker",
-    "dev:server": "yarn run kill-server && lerna run --stream --parallel dev:builder --scope @budibase/worker --scope @budibase/server",
+    "dev:server": "yarn run kill-server && lerna run --stream dev:builder --scope @budibase/worker --scope @budibase/server",
     "dev:built": "yarn run kill-all && cd packages/server && yarn dev:stack:up && cd ../../ && lerna run --stream dev:built",
     "dev:docker": "yarn build:docker:pre && docker-compose -f hosting/docker-compose.build.yaml -f hosting/docker-compose.dev.yaml --env-file hosting/.env up --build --scale proxy-service=0",
     "test": "lerna run --stream test --stream",

packages/backend-core/jest.config.ts

@@ -9,6 +9,7 @@ const baseConfig: Config.InitialProjectOptions = {
   },
   moduleNameMapper: {
     "@budibase/types": "<rootDir>/../types/src",
+    "@budibase/shared-core": ["<rootDir>/../shared-core/src"],
   },
 }
 

packages/backend-core/package.json

@@ -16,12 +16,14 @@
     "prepack": "cp package.json dist",
     "build": "tsc -p tsconfig.build.json",
     "build:dev": "yarn prebuild && tsc --build --watch --preserveWatchOutput",
+    "check:types": "tsc -p tsconfig.json --noEmit --paths null",
     "test": "bash scripts/test.sh",
     "test:watch": "jest --watchAll"
   },
   "dependencies": {
     "@budibase/nano": "10.1.2",
     "@budibase/pouchdb-replication-stream": "1.2.10",
+    "@budibase/shared-core": "0.0.0",
     "@budibase/types": "0.0.0",
     "@techpass/passport-openidconnect": "0.3.2",
     "aws-cloudfront-sign": "2.2.0",
@@ -86,20 +88,5 @@
     "ts-node": "10.8.1",
     "tsconfig-paths": "4.0.0",
     "typescript": "4.7.3"
-  },
+  }
-  "nx": {
-    "targets": {
-      "build": {
-        "dependsOn": [
-          {
-            "projects": [
-              "@budibase/types"
-            ],
-            "target": "build"
-          }
-        ]
-      }
-    }
-  },
-  "gitHead": "d1836a898cab3f8ab80ee6d8f42be1a9eed7dcdc"
 }

packages/backend-core/src/cache/tests/writethrough.spec.ts

@@ -36,7 +36,7 @@ describe("writethrough", () => {
           _id: docId,
           value: 1,
         })
-        const output = await db.get(response.id)
+        const output = await db.get<any>(response.id)
         current = output
         expect(output.value).toBe(1)
       })
@@ -45,7 +45,7 @@ describe("writethrough", () => {
     it("second put shouldn't update DB", async () => {
       await config.doInTenant(async () => {
         const response = await writethrough.put({ ...current, value: 2 })
-        const output = await db.get(response.id)
+        const output = await db.get<any>(response.id)
         expect(current._rev).toBe(output._rev)
         expect(output.value).toBe(1)
       })
@@ -55,7 +55,7 @@ describe("writethrough", () => {
       await config.doInTenant(async () => {
         tk.freeze(Date.now() + DELAY + 1)
         const response = await writethrough.put({ ...current, value: 3 })
-        const output = await db.get(response.id)
+        const output = await db.get<any>(response.id)
         expect(response.rev).not.toBe(current._rev)
         expect(output.value).toBe(3)
 
@@ -79,7 +79,7 @@ describe("writethrough", () => {
           expect.arrayContaining([current._rev, current._rev, newRev])
         )
 
-        const output = await db.get(current._id)
+        const output = await db.get<any>(current._id)
         expect(output.value).toBe(4)
         expect(output._rev).toBe(newRev)
 
@@ -107,7 +107,7 @@ describe("writethrough", () => {
         })
         expect(res.ok).toBe(true)
 
-        const output = await db.get(id)
+        const output = await db.get<any>(id)
         expect(output.value).toBe(3)
         expect(output._rev).toBe(res.rev)
       })
@@ -130,8 +130,8 @@ describe("writethrough", () => {
         const resp2 = await writethrough2.put({ _id: "db1", value: "second" })
         expect(resp1.rev).toBeDefined()
         expect(resp2.rev).toBeDefined()
-        expect((await db.get("db1")).value).toBe("first")
+        expect((await db.get<any>("db1")).value).toBe("first")
-        expect((await db2.get("db1")).value).toBe("second")
+        expect((await db2.get<any>("db1")).value).toBe("second")
       })
     })
   })

packages/backend-core/src/constants/db.ts

@@ -1,5 +1,5 @@
-export const SEPARATOR = "_"
+import { prefixed, DocumentType } from "@budibase/types"
-export const UNICODE_MAX = "\ufff0"
+export { SEPARATOR, UNICODE_MAX, DocumentType } from "@budibase/types"
 
 /**
  * Can be used to create a few different forms of querying a view.
@@ -14,8 +14,6 @@ export enum ViewName {
   USER_BY_APP = "by_app",
   USER_BY_EMAIL = "by_email2",
   BY_API_KEY = "by_api_key",
-  /** @deprecated - could be deleted */
-  USER_BY_BUILDERS = "by_builders",
   LINK = "by_link",
   ROUTING = "screen_routes",
   AUTOMATION_LOGS = "automation_logs",
@@ -36,42 +34,6 @@ export enum InternalTable {
   USER_METADATA = "ta_users",
 }
 
-export enum DocumentType {
-  USER = "us",
-  GROUP = "gr",
-  WORKSPACE = "workspace",
-  CONFIG = "config",
-  TEMPLATE = "template",
-  APP = "app",
-  DEV = "dev",
-  APP_DEV = "app_dev",
-  APP_METADATA = "app_metadata",
-  ROLE = "role",
-  MIGRATIONS = "migrations",
-  DEV_INFO = "devinfo",
-  AUTOMATION_LOG = "log_au",
-  ACCOUNT_METADATA = "acc_metadata",
-  PLUGIN = "plg",
-  DATASOURCE = "datasource",
-  DATASOURCE_PLUS = "datasource_plus",
-  APP_BACKUP = "backup",
-  TABLE = "ta",
-  ROW = "ro",
-  AUTOMATION = "au",
-  LINK = "li",
-  WEBHOOK = "wh",
-  INSTANCE = "inst",
-  LAYOUT = "layout",
-  SCREEN = "screen",
-  QUERY = "query",
-  DEPLOYMENTS = "deployments",
-  METADATA = "metadata",
-  MEM_VIEW = "view",
-  USER_FLAG = "flag",
-  AUTOMATION_METADATA = "meta_au",
-  AUDIT_LOG = "al",
-}
-
 export const StaticDatabases = {
   GLOBAL: {
     name: "global-db",
@@ -95,7 +57,7 @@ export const StaticDatabases = {
   },
 }
 
-export const APP_PREFIX = DocumentType.APP + SEPARATOR
+export const APP_PREFIX = prefixed(DocumentType.APP)
-export const APP_DEV = DocumentType.APP_DEV + SEPARATOR
+export const APP_DEV = prefixed(DocumentType.APP_DEV)
 export const APP_DEV_PREFIX = APP_DEV
 export const BUDIBASE_DATASOURCE_TYPE = "budibase"

packages/backend-core/src/db/views.ts

@@ -105,16 +105,6 @@ export const createApiKeyView = async () => {
   await createView(db, viewJs, ViewName.BY_API_KEY)
 }
 
-export const createUserBuildersView = async () => {
-  const db = getGlobalDB()
-  const viewJs = `function(doc) {
-    if (doc.builder && doc.builder.global === true) {
-      emit(doc._id, doc._id)
-    }
-  }`
-  await createView(db, viewJs, ViewName.USER_BY_BUILDERS)
-}
-
 export interface QueryViewOptions {
   arrayResponse?: boolean
 }
@@ -223,7 +213,6 @@ export const queryPlatformView = async <T>(
 const CreateFuncByName: any = {
   [ViewName.USER_BY_EMAIL]: createNewUserEmailView,
   [ViewName.BY_API_KEY]: createApiKeyView,
-  [ViewName.USER_BY_BUILDERS]: createUserBuildersView,
   [ViewName.USER_BY_APP]: createUserAppView,
 }
 

packages/backend-core/src/environment.ts

@@ -1,4 +1,5 @@
 import { existsSync, readFileSync } from "fs"
+import { ServiceType } from "@budibase/types"
 
 function isTest() {
   return isCypress() || isJest()
@@ -83,10 +84,20 @@ function getPackageJsonFields(): {
   }
 }
 
+function isWorker() {
+  return environment.SERVICE_TYPE === ServiceType.WORKER
+}
+
+function isApps() {
+  return environment.SERVICE_TYPE === ServiceType.APPS
+}
+
 const environment = {
   isTest,
   isJest,
   isDev,
+  isWorker,
+  isApps,
   isProd: () => {
     return !isDev()
   },
@@ -153,6 +164,7 @@ const environment = {
   SMTP_FROM_ADDRESS: process.env.SMTP_FROM_ADDRESS,
   DISABLE_JWT_WARNING: process.env.DISABLE_JWT_WARNING,
   BLACKLIST_IPS: process.env.BLACKLIST_IPS,
+  SERVICE_TYPE: "unknown",
   /**
    * Enable to allow an admin user to login using a password.
    * This can be useful to prevent lockout when configuring SSO.

packages/backend-core/src/events/identification.ts

@@ -21,6 +21,7 @@ import { processors } from "./processors"
 import { newid } from "../utils"
 import * as installation from "../installation"
 import * as configs from "../configs"
+import * as users from "../users"
 import { withCache, TTL, CacheKey } from "../cache/generic"
 
 /**
@@ -164,8 +165,8 @@ const identifyUser = async (
   const id = user._id as string
   const tenantId = await getEventTenantId(user.tenantId)
   const type = IdentityType.USER
-  let builder = user.builder?.global || false
+  let builder = users.hasBuilderPermissions(user)
-  let admin = user.admin?.global || false
+  let admin = users.hasAdminPermissions(user)
   let providerType
   if (isSSOUser(user)) {
     providerType = user.providerType

packages/backend-core/src/middleware/adminOnly.ts

@@ -1,10 +1,8 @@
-import { BBContext } from "@budibase/types"
+import { UserCtx } from "@budibase/types"
+import { isAdmin } from "../users"
 
-export default async (ctx: BBContext, next: any) => {
+export default async (ctx: UserCtx, next: any) => {
-  if (
+  if (!ctx.internal && !isAdmin(ctx.user)) {
-    !ctx.internal &&
-    (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)
-  ) {
     ctx.throw(403, "Admin user only endpoint.")
   }
   return next()

packages/backend-core/src/middleware/builderOnly.ts

@@ -1,10 +1,19 @@
-import { BBContext } from "@budibase/types"
+import { UserCtx } from "@budibase/types"
+import { isBuilder, hasBuilderPermissions } from "../users"
+import { getAppId } from "../context"
+import env from "../environment"
 
-export default async (ctx: BBContext, next: any) => {
+export default async (ctx: UserCtx, next: any) => {
-  if (
+  const appId = getAppId()
-    !ctx.internal &&
+  const builderFn = env.isWorker()
-    (!ctx.user || !ctx.user.builder || !ctx.user.builder.global)
+    ? hasBuilderPermissions
-  ) {
+    : env.isApps()
+    ? isBuilder
+    : undefined
+  if (!builderFn) {
+    throw new Error("Service name unknown - middleware inactive.")
+  }
+  if (!ctx.internal && !builderFn(ctx.user, appId)) {
     ctx.throw(403, "Builder user only endpoint.")
   }
   return next()

packages/backend-core/src/middleware/builderOrAdmin.ts

@@ -1,12 +1,20 @@
-import { BBContext } from "@budibase/types"
+import { UserCtx } from "@budibase/types"
+import { isBuilder, isAdmin, hasBuilderPermissions } from "../users"
+import { getAppId } from "../context"
+import env from "../environment"
 
-export default async (ctx: BBContext, next: any) => {
+export default async (ctx: UserCtx, next: any) => {
-  if (
+  const appId = getAppId()
-    !ctx.internal &&
+  const builderFn = env.isWorker()
-    (!ctx.user || !ctx.user.builder || !ctx.user.builder.global) &&
+    ? hasBuilderPermissions
-    (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)
+    : env.isApps()
-  ) {
+    ? isBuilder
-    ctx.throw(403, "Builder user only endpoint.")
+    : undefined
+  if (!builderFn) {
+    throw new Error("Service name unknown - middleware inactive.")
+  }
+  if (!ctx.internal && !builderFn(ctx.user, appId) && !isAdmin(ctx.user)) {
+    ctx.throw(403, "Admin/Builder user only endpoint.")
   }
   return next()
 }

packages/backend-core/src/middleware/tests/builder.spec.ts

@@ -0,0 +1,180 @@
+import adminOnly from "../adminOnly"
+import builderOnly from "../builderOnly"
+import builderOrAdmin from "../builderOrAdmin"
+import { structures } from "../../../tests"
+import { ContextUser, ServiceType } from "@budibase/types"
+import { doInAppContext } from "../../context"
+import env from "../../environment"
+env._set("SERVICE_TYPE", ServiceType.APPS)
+
+const appId = "app_aaa"
+const basicUser = structures.users.user()
+const adminUser = structures.users.adminUser()
+const adminOnlyUser = structures.users.adminOnlyUser()
+const builderUser = structures.users.builderUser()
+const appBuilderUser = structures.users.appBuilderUser(appId)
+
+function buildUserCtx(user: ContextUser) {
+  return {
+    internal: false,
+    user,
+    throw: jest.fn(),
+  } as any
+}
+
+function passed(throwFn: jest.Func, nextFn: jest.Func) {
+  expect(throwFn).not.toBeCalled()
+  expect(nextFn).toBeCalled()
+}
+
+function threw(throwFn: jest.Func) {
+  // cant check next, the throw function doesn't actually throw - so it still continues
+  expect(throwFn).toBeCalled()
+}
+
+describe("adminOnly middleware", () => {
+  it("should allow admin user", () => {
+    const ctx = buildUserCtx(adminUser),
+      next = jest.fn()
+    adminOnly(ctx, next)
+    passed(ctx.throw, next)
+  })
+
+  it("should not allow basic user", () => {
+    const ctx = buildUserCtx(basicUser),
+      next = jest.fn()
+    adminOnly(ctx, next)
+    threw(ctx.throw)
+  })
+
+  it("should not allow builder user", () => {
+    const ctx = buildUserCtx(builderUser),
+      next = jest.fn()
+    adminOnly(ctx, next)
+    threw(ctx.throw)
+  })
+})
+
+describe("builderOnly middleware", () => {
+  it("should allow builder user", () => {
+    const ctx = buildUserCtx(builderUser),
+      next = jest.fn()
+    builderOnly(ctx, next)
+    passed(ctx.throw, next)
+  })
+
+  it("should allow app builder user", () => {
+    const ctx = buildUserCtx(appBuilderUser),
+      next = jest.fn()
+    doInAppContext(appId, () => {
+      builderOnly(ctx, next)
+    })
+    passed(ctx.throw, next)
+  })
+
+  it("should allow admin and builder user", () => {
+    const ctx = buildUserCtx(adminUser),
+      next = jest.fn()
+    builderOnly(ctx, next)
+    passed(ctx.throw, next)
+  })
+
+  it("should not allow admin user", () => {
+    const ctx = buildUserCtx(adminOnlyUser),
+      next = jest.fn()
+    builderOnly(ctx, next)
+    threw(ctx.throw)
+  })
+
+  it("should not allow app builder user to different app", () => {
+    const ctx = buildUserCtx(appBuilderUser),
+      next = jest.fn()
+    doInAppContext("app_bbb", () => {
+      builderOnly(ctx, next)
+    })
+    threw(ctx.throw)
+  })
+
+  it("should not allow basic user", () => {
+    const ctx = buildUserCtx(basicUser),
+      next = jest.fn()
+    builderOnly(ctx, next)
+    threw(ctx.throw)
+  })
+})
+
+describe("builderOrAdmin middleware", () => {
+  it("should allow builder user", () => {
+    const ctx = buildUserCtx(builderUser),
+      next = jest.fn()
+    builderOrAdmin(ctx, next)
+    passed(ctx.throw, next)
+  })
+
+  it("should allow builder and admin user", () => {
+    const ctx = buildUserCtx(adminUser),
+      next = jest.fn()
+    builderOrAdmin(ctx, next)
+    passed(ctx.throw, next)
+  })
+
+  it("should allow admin user", () => {
+    const ctx = buildUserCtx(adminOnlyUser),
+      next = jest.fn()
+    builderOrAdmin(ctx, next)
+    passed(ctx.throw, next)
+  })
+
+  it("should allow app builder user", () => {
+    const ctx = buildUserCtx(appBuilderUser),
+      next = jest.fn()
+    doInAppContext(appId, () => {
+      builderOrAdmin(ctx, next)
+    })
+    passed(ctx.throw, next)
+  })
+
+  it("should not allow basic user", () => {
+    const ctx = buildUserCtx(basicUser),
+      next = jest.fn()
+    builderOrAdmin(ctx, next)
+    threw(ctx.throw)
+  })
+})
+
+describe("check service difference", () => {
+  it("should not allow without app ID in apps", () => {
+    env._set("SERVICE_TYPE", ServiceType.APPS)
+    const appId = "app_a"
+    const ctx = buildUserCtx({
+      ...basicUser,
+      builder: {
+        apps: [appId],
+      },
+    })
+    const next = jest.fn()
+    doInAppContext(appId, () => {
+      builderOnly(ctx, next)
+    })
+    passed(ctx.throw, next)
+    doInAppContext("app_b", () => {
+      builderOnly(ctx, next)
+    })
+    threw(ctx.throw)
+  })
+
+  it("should allow without app ID in worker", () => {
+    env._set("SERVICE_TYPE", ServiceType.WORKER)
+    const ctx = buildUserCtx({
+      ...basicUser,
+      builder: {
+        apps: ["app_a"],
+      },
+    })
+    const next = jest.fn()
+    doInAppContext("app_b", () => {
+      builderOnly(ctx, next)
+    })
+    passed(ctx.throw, next)
+  })
+})

packages/backend-core/src/security/permissions.ts

@@ -1,3 +1,5 @@
+import { PermissionType, PermissionLevel } from "@budibase/types"
+export { PermissionType, PermissionLevel } from "@budibase/types"
 import flatten from "lodash/flatten"
 import cloneDeep from "lodash/fp/cloneDeep"
 
@@ -5,25 +7,6 @@ export type RoleHierarchy = {
   permissionId: string
 }[]
 
-export enum PermissionLevel {
-  READ = "read",
-  WRITE = "write",
-  EXECUTE = "execute",
-  ADMIN = "admin",
-}
-
-// these are the global types, that govern the underlying default behaviour
-export enum PermissionType {
-  APP = "app",
-  TABLE = "table",
-  USER = "user",
-  AUTOMATION = "automation",
-  WEBHOOK = "webhook",
-  BUILDER = "builder",
-  VIEW = "view",
-  QUERY = "query",
-}
-
 export class Permission {
   type: PermissionType
   level: PermissionLevel
@@ -173,3 +156,4 @@ export function isPermissionLevelHigherThanRead(level: PermissionLevel) {
 
 // utility as a lot of things need simply the builder permission
 export const BUILDER = PermissionType.BUILDER
+export const GLOBAL_BUILDER = PermissionType.GLOBAL_BUILDER

packages/backend-core/src/users/db.ts

@@ -0,0 +1,460 @@
+import env from "../environment"
+import * as eventHelpers from "./events"
+import * as accounts from "../accounts"
+import * as cache from "../cache"
+import { getIdentity, getTenantId, getGlobalDB } from "../context"
+import * as dbUtils from "../db"
+import { EmailUnavailableError, HTTPError } from "../errors"
+import * as platform from "../platform"
+import * as sessions from "../security/sessions"
+import * as usersCore from "./users"
+import {
+  AllDocsResponse,
+  BulkUserCreated,
+  BulkUserDeleted,
+  RowResponse,
+  SaveUserOpts,
+  User,
+  Account,
+  isSSOUser,
+  isSSOAccount,
+  UserStatus,
+} from "@budibase/types"
+import * as accountSdk from "../accounts"
+import {
+  validateUniqueUser,
+  getAccountHolderFromUserIds,
+  isAdmin,
+} from "./utils"
+import { searchExistingEmails } from "./lookup"
+import { hash } from "../utils"
+
+type QuotaUpdateFn = (change: number, cb?: () => Promise<any>) => Promise<any>
+type GroupUpdateFn = (groupId: string, userIds: string[]) => Promise<any>
+type FeatureFn = () => Promise<Boolean>
+type QuotaFns = { addUsers: QuotaUpdateFn; removeUsers: QuotaUpdateFn }
+type GroupFns = { addUsers: GroupUpdateFn }
+type FeatureFns = { isSSOEnforced: FeatureFn; isAppBuildersEnabled: FeatureFn }
+
+const bulkDeleteProcessing = async (dbUser: User) => {
+  const userId = dbUser._id as string
+  await platform.users.removeUser(dbUser)
+  await eventHelpers.handleDeleteEvents(dbUser)
+  await cache.user.invalidateUser(userId)
+  await sessions.invalidateSessions(userId, { reason: "bulk-deletion" })
+}
+
+export class UserDB {
+  static quotas: QuotaFns
+  static groups: GroupFns
+  static features: FeatureFns
+
+  static init(quotaFns: QuotaFns, groupFns: GroupFns, featureFns: FeatureFns) {
+    UserDB.quotas = quotaFns
+    UserDB.groups = groupFns
+    UserDB.features = featureFns
+  }
+
+  static async isPreventPasswordActions(user: User, account?: Account) {
+    // when in maintenance mode we allow sso users with the admin role
+    // to perform any password action - this prevents lockout
+    if (env.ENABLE_SSO_MAINTENANCE_MODE && isAdmin(user)) {
+      return false
+    }
+
+    // SSO is enforced for all users
+    if (await UserDB.features.isSSOEnforced()) {
+      return true
+    }
+
+    // Check local sso
+    if (isSSOUser(user)) {
+      return true
+    }
+
+    // Check account sso
+    if (!account) {
+      account = await accountSdk.getAccountByTenantId(getTenantId())
+    }
+    return !!(account && account.email === user.email && isSSOAccount(account))
+  }
+
+  static async buildUser(
+    user: User,
+    opts: SaveUserOpts = {
+      hashPassword: true,
+      requirePassword: true,
+    },
+    tenantId: string,
+    dbUser?: any,
+    account?: Account
+  ): Promise<User> {
+    let { password, _id } = user
+
+    // don't require a password if the db user doesn't already have one
+    if (dbUser && !dbUser.password) {
+      opts.requirePassword = false
+    }
+
+    let hashedPassword
+    if (password) {
+      if (await UserDB.isPreventPasswordActions(user, account)) {
+        throw new HTTPError("Password change is disabled for this user", 400)
+      }
+      hashedPassword = opts.hashPassword ? await hash(password) : password
+    } else if (dbUser) {
+      hashedPassword = dbUser.password
+    }
+
+    // passwords are never required if sso is enforced
+    const requirePasswords =
+      opts.requirePassword && !(await UserDB.features.isSSOEnforced())
+    if (!hashedPassword && requirePasswords) {
+      throw "Password must be specified."
+    }
+
+    _id = _id || dbUtils.generateGlobalUserID()
+
+    const fullUser = {
+      createdAt: Date.now(),
+      ...dbUser,
+      ...user,
+      _id,
+      password: hashedPassword,
+      tenantId,
+    }
+    // make sure the roles object is always present
+    if (!fullUser.roles) {
+      fullUser.roles = {}
+    }
+    // add the active status to a user if its not provided
+    if (fullUser.status == null) {
+      fullUser.status = UserStatus.ACTIVE
+    }
+
+    return fullUser
+  }
+
+  static async allUsers() {
+    const db = getGlobalDB()
+    const response = await db.allDocs(
+      dbUtils.getGlobalUserParams(null, {
+        include_docs: true,
+      })
+    )
+    return response.rows.map((row: any) => row.doc)
+  }
+
+  static async countUsersByApp(appId: string) {
+    let response: any = await usersCore.searchGlobalUsersByApp(appId, {})
+    return {
+      userCount: response.length,
+    }
+  }
+
+  static async getUsersByAppAccess(appId?: string) {
+    const opts: any = {
+      include_docs: true,
+      limit: 50,
+    }
+    let response: User[] = await usersCore.searchGlobalUsersByAppAccess(
+      appId,
+      opts
+    )
+    return response
+  }
+
+  static async getUserByEmail(email: string) {
+    return usersCore.getGlobalUserByEmail(email)
+  }
+
+  /**
+   * Gets a user by ID from the global database, based on the current tenancy.
+   */
+  static async getUser(userId: string) {
+    const user = await usersCore.getById(userId)
+    if (user) {
+      delete user.password
+    }
+    return user
+  }
+
+  static async save(user: User, opts: SaveUserOpts = {}): Promise<User> {
+    // default booleans to true
+    if (opts.hashPassword == null) {
+      opts.hashPassword = true
+    }
+    if (opts.requirePassword == null) {
+      opts.requirePassword = true
+    }
+    const tenantId = getTenantId()
+    const db = getGlobalDB()
+
+    let { email, _id, userGroups = [], roles } = user
+
+    if (!email && !_id) {
+      throw new Error("_id or email is required")
+    }
+
+    if (
+      user.builder?.apps?.length &&
+      !(await UserDB.features.isAppBuildersEnabled())
+    ) {
+      throw new Error("Unable to update app builders, please check license")
+    }
+
+    let dbUser: User | undefined
+    if (_id) {
+      // try to get existing user from db
+      try {
+        dbUser = (await db.get(_id)) as User
+        if (email && dbUser.email !== email) {
+          throw "Email address cannot be changed"
+        }
+        email = dbUser.email
+      } catch (e: any) {
+        if (e.status === 404) {
+          // do nothing, save this new user with the id specified - required for SSO auth
+        } else {
+          throw e
+        }
+      }
+    }
+
+    if (!dbUser && email) {
+      // no id was specified - load from email instead
+      dbUser = await usersCore.getGlobalUserByEmail(email)
+      if (dbUser && dbUser._id !== _id) {
+        throw new EmailUnavailableError(email)
+      }
+    }
+
+    const change = dbUser ? 0 : 1 // no change if there is existing user
+    return UserDB.quotas.addUsers(change, async () => {
+      await validateUniqueUser(email, tenantId)
+
+      let builtUser = await UserDB.buildUser(user, opts, tenantId, dbUser)
+      // don't allow a user to update its own roles/perms
+      if (opts.currentUserId && opts.currentUserId === dbUser?._id) {
+        builtUser = usersCore.cleanseUserObject(builtUser, dbUser) as User
+      }
+
+      if (!dbUser && roles?.length) {
+        builtUser.roles = { ...roles }
+      }
+
+      // make sure we set the _id field for a new user
+      // Also if this is a new user, associate groups with them
+      let groupPromises = []
+      if (!_id) {
+        _id = builtUser._id!
+
+        if (userGroups.length > 0) {
+          for (let groupId of userGroups) {
+            groupPromises.push(UserDB.groups.addUsers(groupId, [_id!]))
+          }
+        }
+      }
+
+      try {
+        // save the user to db
+        let response = await db.put(builtUser)
+        builtUser._rev = response.rev
+
+        await eventHelpers.handleSaveEvents(builtUser, dbUser)
+        await platform.users.addUser(tenantId, builtUser._id!, builtUser.email)
+        await cache.user.invalidateUser(response.id)
+
+        await Promise.all(groupPromises)
+
+        // finally returned the saved user from the db
+        return db.get(builtUser._id!)
+      } catch (err: any) {
+        if (err.status === 409) {
+          throw "User exists already"
+        } else {
+          throw err
+        }
+      }
+    })
+  }
+
+  static async bulkCreate(
+    newUsersRequested: User[],
+    groups: string[]
+  ): Promise<BulkUserCreated> {
+    const tenantId = getTenantId()
+
+    let usersToSave: any[] = []
+    let newUsers: any[] = []
+
+    const emails = newUsersRequested.map((user: User) => user.email)
+    const existingEmails = await searchExistingEmails(emails)
+    const unsuccessful: { email: string; reason: string }[] = []
+
+    for (const newUser of newUsersRequested) {
+      if (
+        newUsers.find(
+          (x: User) => x.email.toLowerCase() === newUser.email.toLowerCase()
+        ) ||
+        existingEmails.includes(newUser.email.toLowerCase())
+      ) {
+        unsuccessful.push({
+          email: newUser.email,
+          reason: `Unavailable`,
+        })
+        continue
+      }
+      newUser.userGroups = groups
+      newUsers.push(newUser)
+    }
+
+    const account = await accountSdk.getAccountByTenantId(tenantId)
+    return UserDB.quotas.addUsers(newUsers.length, async () => {
+      // create the promises array that will be called by bulkDocs
+      newUsers.forEach((user: any) => {
+        usersToSave.push(
+          UserDB.buildUser(
+            user,
+            {
+              hashPassword: true,
+              requirePassword: user.requirePassword,
+            },
+            tenantId,
+            undefined, // no dbUser
+            account
+          )
+        )
+      })
+
+      const usersToBulkSave = await Promise.all(usersToSave)
+      await usersCore.bulkUpdateGlobalUsers(usersToBulkSave)
+
+      // Post-processing of bulk added users, e.g. events and cache operations
+      for (const user of usersToBulkSave) {
+        // TODO: Refactor to bulk insert users into the info db
+        // instead of relying on looping tenant creation
+        await platform.users.addUser(tenantId, user._id, user.email)
+        await eventHelpers.handleSaveEvents(user, undefined)
+      }
+
+      const saved = usersToBulkSave.map(user => {
+        return {
+          _id: user._id,
+          email: user.email,
+        }
+      })
+
+      // now update the groups
+      if (Array.isArray(saved) && groups) {
+        const groupPromises = []
+        const createdUserIds = saved.map(user => user._id)
+        for (let groupId of groups) {
+          groupPromises.push(UserDB.groups.addUsers(groupId, createdUserIds))
+        }
+        await Promise.all(groupPromises)
+      }
+
+      return {
+        successful: saved,
+        unsuccessful,
+      }
+    })
+  }
+
+  static async bulkDelete(userIds: string[]): Promise<BulkUserDeleted> {
+    const db = getGlobalDB()
+
+    const response: BulkUserDeleted = {
+      successful: [],
+      unsuccessful: [],
+    }
+
+    // remove the account holder from the delete request if present
+    const account = await getAccountHolderFromUserIds(userIds)
+    if (account) {
+      userIds = userIds.filter(u => u !== account.budibaseUserId)
+      // mark user as unsuccessful
+      response.unsuccessful.push({
+        _id: account.budibaseUserId,
+        email: account.email,
+        reason: "Account holder cannot be deleted",
+      })
+    }
+
+    // Get users and delete
+    const allDocsResponse: AllDocsResponse<User> = await db.allDocs({
+      include_docs: true,
+      keys: userIds,
+    })
+    const usersToDelete: User[] = allDocsResponse.rows.map(
+      (user: RowResponse<User>) => {
+        return user.doc
+      }
+    )
+
+    // Delete from DB
+    const toDelete = usersToDelete.map(user => ({
+      ...user,
+      _deleted: true,
+    }))
+    const dbResponse = await usersCore.bulkUpdateGlobalUsers(toDelete)
+
+    await UserDB.quotas.removeUsers(toDelete.length)
+    for (let user of usersToDelete) {
+      await bulkDeleteProcessing(user)
+    }
+
+    // Build Response
+    // index users by id
+    const userIndex: { [key: string]: User } = {}
+    usersToDelete.reduce((prev, current) => {
+      prev[current._id!] = current
+      return prev
+    }, userIndex)
+
+    // add the successful and unsuccessful users to response
+    dbResponse.forEach(item => {
+      const email = userIndex[item.id].email
+      if (item.ok) {
+        response.successful.push({ _id: item.id, email })
+      } else {
+        response.unsuccessful.push({
+          _id: item.id,
+          email,
+          reason: "Database error",
+        })
+      }
+    })
+
+    return response
+  }
+
+  static async destroy(id: string) {
+    const db = getGlobalDB()
+    const dbUser = (await db.get(id)) as User
+    const userId = dbUser._id as string
+
+    if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
+      // root account holder can't be deleted from inside budibase
+      const email = dbUser.email
+      const account = await accounts.getAccount(email)
+      if (account) {
+        if (dbUser.userId === getIdentity()!._id) {
+          throw new HTTPError('Please visit "Account" to delete this user', 400)
+        } else {
+          throw new HTTPError("Account holder cannot be deleted", 400)
+        }
+      }
+    }
+
+    await platform.users.removeUser(dbUser)
+
+    await db.remove(userId, dbUser._rev)
+
+    await UserDB.quotas.removeUsers(1)
+    await eventHelpers.handleDeleteEvents(dbUser)
+    await cache.user.invalidateUser(userId)
+    await sessions.invalidateSessions(userId, { reason: "deletion" })
+  }
+}

packages/backend-core/src/users/events.ts

@@ -1,15 +1,18 @@
-import env from "../../environment"
+import env from "../environment"
-import { events, accounts, tenancy } from "@budibase/backend-core"
+import * as events from "../events"
+import * as accounts from "../accounts"
+import { getTenantId } from "../context"
 import { User, UserRoles, CloudAccount } from "@budibase/types"
+import { hasBuilderPermissions, hasAdminPermissions } from "./utils"
 
 export const handleDeleteEvents = async (user: any) => {
   await events.user.deleted(user)
 
-  if (isBuilder(user)) {
+  if (hasBuilderPermissions(user)) {
     await events.user.permissionBuilderRemoved(user)
   }
 
-  if (isAdmin(user)) {
+  if (hasAdminPermissions(user)) {
     await events.user.permissionAdminRemoved(user)
   }
 }
@@ -55,7 +58,7 @@ export const handleSaveEvents = async (
   user: User,
   existingUser: User | undefined
 ) => {
-  const tenantId = tenancy.getTenantId()
+  const tenantId = getTenantId()
   let tenantAccount: CloudAccount | undefined
   if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
     tenantAccount = await accounts.getAccountByTenantId(tenantId)
@@ -103,23 +106,20 @@ export const handleSaveEvents = async (
   await handleAppRoleEvents(user, existingUser)
 }
 
-const isBuilder = (user: any) => user.builder && user.builder.global
-const isAdmin = (user: any) => user.admin && user.admin.global
-
 export const isAddingBuilder = (user: any, existingUser: any) => {
-  return isAddingPermission(user, existingUser, isBuilder)
+  return isAddingPermission(user, existingUser, hasBuilderPermissions)
 }
 
 export const isRemovingBuilder = (user: any, existingUser: any) => {
-  return isRemovingPermission(user, existingUser, isBuilder)
+  return isRemovingPermission(user, existingUser, hasBuilderPermissions)
 }
 
 const isAddingAdmin = (user: any, existingUser: any) => {
-  return isAddingPermission(user, existingUser, isAdmin)
+  return isAddingPermission(user, existingUser, hasAdminPermissions)
 }
 
 const isRemovingAdmin = (user: any, existingUser: any) => {
-  return isRemovingPermission(user, existingUser, isAdmin)
+  return isRemovingPermission(user, existingUser, hasAdminPermissions)
 }
 
 const isOnboardingComplete = (user: any, existingUser: any) => {

packages/backend-core/src/users/index.ts

@@ -0,0 +1,4 @@
+export * from "./users"
+export * from "./utils"
+export * from "./lookup"
+export { UserDB } from "./db"

packages/backend-core/src/users/lookup.ts

@@ -0,0 +1,102 @@
+import {
+  AccountMetadata,
+  PlatformUser,
+  PlatformUserByEmail,
+  User,
+} from "@budibase/types"
+import * as dbUtils from "../db"
+import { ViewName } from "../constants"
+
+/**
+ * Apply a system-wide search on emails:
+ * - in tenant
+ * - cross tenant
+ * - accounts
+ * return an array of emails that match the supplied emails.
+ */
+export async function searchExistingEmails(emails: string[]) {
+  let matchedEmails: string[] = []
+
+  const existingTenantUsers = await getExistingTenantUsers(emails)
+  matchedEmails.push(...existingTenantUsers.map(user => user.email))
+
+  const existingPlatformUsers = await getExistingPlatformUsers(emails)
+  matchedEmails.push(...existingPlatformUsers.map(user => user._id!))
+
+  const existingAccounts = await getExistingAccounts(emails)
+  matchedEmails.push(...existingAccounts.map(account => account.email))
+
+  return [...new Set(matchedEmails.map(email => email.toLowerCase()))]
+}
+
+// lookup, could be email or userId, either will return a doc
+export async function getPlatformUser(
+  identifier: string
+): Promise<PlatformUser | null> {
+  // use the view here and allow to find anyone regardless of casing
+  // Use lowercase to ensure email login is case insensitive
+  return (await dbUtils.queryPlatformView(ViewName.PLATFORM_USERS_LOWERCASE, {
+    keys: [identifier.toLowerCase()],
+    include_docs: true,
+  })) as PlatformUser
+}
+
+export async function getExistingTenantUsers(
+  emails: string[]
+): Promise<User[]> {
+  const lcEmails = emails.map(email => email.toLowerCase())
+  const params = {
+    keys: lcEmails,
+    include_docs: true,
+  }
+
+  const opts = {
+    arrayResponse: true,
+  }
+
+  return (await dbUtils.queryGlobalView(
+    ViewName.USER_BY_EMAIL,
+    params,
+    undefined,
+    opts
+  )) as User[]
+}
+
+export async function getExistingPlatformUsers(
+  emails: string[]
+): Promise<PlatformUserByEmail[]> {
+  const lcEmails = emails.map(email => email.toLowerCase())
+  const params = {
+    keys: lcEmails,
+    include_docs: true,
+  }
+
+  const opts = {
+    arrayResponse: true,
+  }
+  return (await dbUtils.queryPlatformView(
+    ViewName.PLATFORM_USERS_LOWERCASE,
+    params,
+    opts
+  )) as PlatformUserByEmail[]
+}
+
+export async function getExistingAccounts(
+  emails: string[]
+): Promise<AccountMetadata[]> {
+  const lcEmails = emails.map(email => email.toLowerCase())
+  const params = {
+    keys: lcEmails,
+    include_docs: true,
+  }
+
+  const opts = {
+    arrayResponse: true,
+  }
+
+  return (await dbUtils.queryPlatformView(
+    ViewName.ACCOUNT_BY_EMAIL,
+    params,
+    opts
+  )) as AccountMetadata[]
+}

packages/backend-core/src/users/users.ts

@@ -11,10 +11,16 @@ import {
   SEPARATOR,
   UNICODE_MAX,
   ViewName,
-} from "./db"
+} from "../db"
-import { BulkDocsResponse, SearchUsersRequest, User } from "@budibase/types"
+import {
-import { getGlobalDB } from "./context"
+  BulkDocsResponse,
-import * as context from "./context"
+  SearchUsersRequest,
+  User,
+  ContextUser,
+} from "@budibase/types"
+import { getGlobalDB } from "../context"
+import * as context from "../context"
+import { user as userCache } from "../cache"
 
 type GetOpts = { cleanup?: boolean }
 
@@ -178,7 +184,7 @@ export const getGlobalUserByAppPage = (appId: string, user: User) => {
  * Performs a starts with search on the global email view.
  */
 export const searchGlobalUsersByEmail = async (
-  email: string,
+  email: string | unknown,
   opts: any,
   getOpts?: GetOpts
 ) => {
@@ -248,3 +254,23 @@ export async function getUserCount() {
   })
   return response.total_rows
 }
+
+// used to remove the builder/admin permissions, for processing the
+// user as an app user (they may have some specific role/group
+export function removePortalUserPermissions(user: User | ContextUser) {
+  delete user.admin
+  delete user.builder
+  return user
+}
+
+export function cleanseUserObject(user: User | ContextUser, base?: User) {
+  delete user.admin
+  delete user.builder
+  delete user.roles
+  if (base) {
+    user.admin = base.admin
+    user.builder = base.builder
+    user.roles = base.roles
+  }
+  return user
+}

packages/backend-core/src/users/utils.ts

@@ -0,0 +1,55 @@
+import { CloudAccount } from "@budibase/types"
+import * as accountSdk from "../accounts"
+import env from "../environment"
+import { getPlatformUser } from "./lookup"
+import { EmailUnavailableError } from "../errors"
+import { getTenantId } from "../context"
+import { sdk } from "@budibase/shared-core"
+import { getAccountByTenantId } from "../accounts"
+
+// extract from shared-core to make easily accessible from backend-core
+export const isBuilder = sdk.users.isBuilder
+export const isAdmin = sdk.users.isAdmin
+export const isGlobalBuilder = sdk.users.isGlobalBuilder
+export const isAdminOrBuilder = sdk.users.isAdminOrBuilder
+export const hasAdminPermissions = sdk.users.hasAdminPermissions
+export const hasBuilderPermissions = sdk.users.hasBuilderPermissions
+export const hasAppBuilderPermissions = sdk.users.hasAppBuilderPermissions
+
+export async function validateUniqueUser(email: string, tenantId: string) {
+  // check budibase users in other tenants
+  if (env.MULTI_TENANCY) {
+    const tenantUser = await getPlatformUser(email)
+    if (tenantUser != null && tenantUser.tenantId !== tenantId) {
+      throw new EmailUnavailableError(email)
+    }
+  }
+
+  // check root account users in account portal
+  if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
+    const account = await accountSdk.getAccount(email)
+    if (account && account.verified && account.tenantId !== tenantId) {
+      throw new EmailUnavailableError(email)
+    }
+  }
+}
+
+/**
+ * For the given user id's, return the account holder if it is in the ids.
+ */
+export async function getAccountHolderFromUserIds(
+  userIds: string[]
+): Promise<CloudAccount | undefined> {
+  if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
+    const tenantId = getTenantId()
+    const account = await getAccountByTenantId(tenantId)
+    if (!account) {
+      throw new Error(`Account not found for tenantId=${tenantId}`)
+    }
+
+    const budibaseUserId = account.budibaseUserId
+    if (userIds.includes(budibaseUserId)) {
+      return account
+    }
+  }
+}

packages/backend-core/tests/core/utilities/mocks/events.ts

@@ -1,5 +1,3 @@
-import * as events from "../../../../src/events"
-
 beforeAll(async () => {
   const processors = await import("../../../../src/events/processors")
   const events = await import("../../../../src/events")

packages/backend-core/tests/core/utilities/mocks/licenses.ts

@@ -94,6 +94,10 @@ export const useSyncAutomations = () => {
   return useFeature(Feature.SYNC_AUTOMATIONS)
 }
 
+export const useAppBuilders = () => {
+  return useFeature(Feature.APP_BUILDERS)
+}
+
 // QUOTAS
 
 export const setAutomationLogsQuota = (value: number) => {

packages/backend-core/tests/core/utilities/structures/users.ts

@@ -1,5 +1,6 @@
 import {
   AdminUser,
+  AdminOnlyUser,
   BuilderUser,
   SSOAuthDetails,
   SSOUser,
@@ -21,6 +22,15 @@ export const adminUser = (userProps?: any): AdminUser => {
   }
 }
 
+export const adminOnlyUser = (userProps?: any): AdminOnlyUser => {
+  return {
+    ...user(userProps),
+    admin: {
+      global: true,
+    },
+  }
+}
+
 export const builderUser = (userProps?: any): BuilderUser => {
   return {
     ...user(userProps),
@@ -30,6 +40,15 @@ export const builderUser = (userProps?: any): BuilderUser => {
   }
 }
 
+export const appBuilderUser = (appId: string, userProps?: any): BuilderUser => {
+  return {
+    ...user(userProps),
+    builder: {
+      apps: [appId],
+    },
+  }
+}
+
 export function ssoUser(
   opts: { user?: any; details?: SSOAuthDetails } = {}
 ): SSOUser {

packages/backend-core/tsconfig.json

@@ -4,9 +4,9 @@
     "composite": true,
     "baseUrl": ".",
     "paths": {
-      "@budibase/types": ["../types/src"]
+      "@budibase/types": ["../types/src"],
+      "@budibase/shared-core": ["../shared-core/src"]
     }
   },
-
   "exclude": ["node_modules", "dist"]
 }

packages/bbui/package.json

@@ -98,13 +98,13 @@
           {
             "projects": [
               "@budibase/string-templates",
-              "@budibase/shared-core"
+              "@budibase/shared-core",
+              "@budibase/types"
             ],
             "target": "build"
           }
         ]
       }
     }
-  },
+  }
-  "gitHead": "d1836a898cab3f8ab80ee6d8f42be1a9eed7dcdc"
 }

packages/builder/package.json

@@ -133,8 +133,21 @@
         "dependsOn": [
           {
             "projects": [
+              "@budibase/shared-core",
               "@budibase/string-templates",
-              "@budibase/shared-core"
+              "@budibase/types"
+            ],
+            "target": "build"
+          }
+        ]
+      },
+      "dev:builder": {
+        "dependsOn": [
+          {
+            "projects": [
+              "@budibase/shared-core",
+              "@budibase/string-templates",
+              "@budibase/types"
             ],
             "target": "build"
           }
@@ -145,13 +158,13 @@
           {
             "projects": [
               "@budibase/shared-core",
-              "@budibase/string-templates"
+              "@budibase/string-templates",
+              "@budibase/types"
             ],
             "target": "build"
           }
         ]
       }
     }
-  },
+  }
-  "gitHead": "115189f72a850bfb52b65ec61d932531bf327072"
 }

packages/builder/src/components/start/AppRow.svelte

@@ -1,16 +1,21 @@
 <script>
   import { Heading, Body, Button, Icon } from "@budibase/bbui"
   import { processStringSync } from "@budibase/string-templates"
+  import { auth } from "stores/portal"
   import { goto } from "@roxi/routify"
   import { UserAvatars } from "@budibase/frontend-core"
+  import { sdk } from "@budibase/shared-core"
 
   export let app
   export let lockedAction
 
   $: editing = app.sessions?.length
+  $: isBuilder = sdk.users.isBuilder($auth.user, app?.devId)
 
   const handleDefaultClick = () => {
-    if (window.innerWidth < 640) {
+    if (!isBuilder) {
+      goToApp()
+    } else if (window.innerWidth < 640) {
       goToOverview()
     } else {
       goToBuilder()
@@ -24,6 +29,10 @@
   const goToOverview = () => {
     $goto(`../../app/${app.devId}/settings`)
   }
+
+  const goToApp = () => {
+    window.open(`/app/${app.name}`, "_blank")
+  }
 </script>
 
 <div class="app-row" on:click={lockedAction || handleDefaultClick}>
@@ -39,7 +48,7 @@
   </div>
 
   <div class="updated">
-    {#if editing}
+    {#if editing && isBuilder}
       Currently editing
       <UserAvatars users={app.sessions} />
     {:else if app.updatedAt}
@@ -56,14 +65,21 @@
     <Body size="S">{app.deployed ? "Published" : "Unpublished"}</Body>
   </div>
 
-  <div class="app-row-actions">
+  {#if isBuilder}
-    <Button size="S" secondary on:click={lockedAction || goToOverview}>
+    <div class="app-row-actions">
-      Manage
+      <Button size="S" secondary on:click={lockedAction || goToOverview}>
-    </Button>
+        Manage
-    <Button size="S" primary on:click={lockedAction || goToBuilder}>
+      </Button>
-      Edit
+      <Button size="S" primary on:click={lockedAction || goToBuilder}>
-    </Button>
+        Edit
-  </div>
+      </Button>
+    </div>
+  {:else}
+    <!-- this can happen if an app builder has app user access to an app -->
+    <div class="app-row-actions">
+      <Button size="S" secondary>View</Button>
+    </div>
+  {/if}
 </div>
 
 <style>

packages/builder/src/pages/builder/app/[application]/_components/BuilderSidePanel.svelte

@@ -12,12 +12,12 @@
   } from "@budibase/bbui"
   import { store } from "builderStore"
   import { groups, licensing, apps, users, auth, admin } from "stores/portal"
-  import { fetchData } from "@budibase/frontend-core"
+  import { fetchData, Constants, Utils } from "@budibase/frontend-core"
+  import { sdk } from "@budibase/shared-core"
   import { API } from "api"
   import GroupIcon from "../../../portal/users/groups/_components/GroupIcon.svelte"
   import RoleSelect from "components/common/RoleSelect.svelte"
   import UpgradeModal from "components/common/users/UpgradeModal.svelte"
-  import { Constants, Utils } from "@budibase/frontend-core"
   import { emailValidator } from "helpers/validation"
   import { roles } from "stores/backend"
   import { fly } from "svelte/transition"
@@ -108,9 +108,9 @@
     await usersFetch.refresh()
 
     filteredUsers = $usersFetch.rows.map(user => {
-      const isBuilderOrAdmin = user.admin?.global || user.builder?.global
+      const isAdminOrBuilder = sdk.users.isAdminOrBuilder(user, prodAppId)
       let role = undefined
-      if (isBuilderOrAdmin) {
+      if (isAdminOrBuilder) {
         role = Constants.Roles.ADMIN
       } else {
         const appRole = Object.keys(user.roles).find(x => x === prodAppId)
@@ -122,7 +122,7 @@
       return {
         ...user,
         role,
-        isBuilderOrAdmin,
+        isAdminOrBuilder,
       }
     })
   }
@@ -258,7 +258,7 @@
     }
     // Must exclude users who have explicit privileges
     const userByEmail = filteredUsers.reduce((acc, user) => {
-      if (user.role || user.admin?.global || user.builder?.global) {
+      if (user.role || sdk.users.isAdminOrBuilder(user, prodAppId)) {
         acc.push(user.email)
       }
       return acc
@@ -389,9 +389,9 @@
   }
 
   const userTitle = user => {
-    if (user.admin?.global) {
+    if (sdk.users.isAdmin(user)) {
       return "Admin"
-    } else if (user.builder?.global) {
+    } else if (sdk.users.isBuilder(user, prodAppId)) {
       return "Developer"
     } else {
       return "App user"
@@ -403,7 +403,7 @@
       const role = $roles.find(role => role._id === user.role)
       return `This user has been given ${role?.name} access from the ${user.group} group`
     }
-    if (user.isBuilderOrAdmin) {
+    if (user.isAdminOrBuilder) {
       return "This user's role grants admin access to all apps"
     }
     return null
@@ -614,7 +614,7 @@
                     }}
                     autoWidth
                     align="right"
-                    allowedRoles={user.isBuilderOrAdmin
+                    allowedRoles={user.isAdminOrBuilder
                       ? [Constants.Roles.ADMIN]
                       : null}
                   />

packages/builder/src/pages/builder/app/[application]/settings/_layout.svelte

@@ -4,6 +4,8 @@
   import { url, isActive } from "@roxi/routify"
   import DeleteModal from "components/deploy/DeleteModal.svelte"
   import { isOnlyUser } from "builderStore"
+  import { auth } from "stores/portal"
+  import { sdk } from "@budibase/shared-core"
 
   let deleteModal
 </script>
@@ -44,22 +46,24 @@
             url={$url("./version")}
             active={$isActive("./version")}
           />
-          <div class="delete-action">
+          {#if sdk.users.isGlobalBuilder($auth.user)}
-            <AbsTooltip
+            <div class="delete-action">
-              position={TooltipPosition.Bottom}
+              <AbsTooltip
-              text={$isOnlyUser
+                position={TooltipPosition.Bottom}
-                ? null
+                text={$isOnlyUser
-                : "Unavailable - another user is editing this app"}
+                  ? null
-            >
+                  : "Unavailable - another user is editing this app"}
-              <SideNavItem
+              >
-                text="Delete app"
+                <SideNavItem
-                disabled={!$isOnlyUser}
+                  text="Delete app"
-                on:click={() => {
+                  disabled={!$isOnlyUser}
-                  deleteModal.show()
+                  on:click={() => {
-                }}
+                    deleteModal.show()
-              />
+                  }}
-            </AbsTooltip>
+                />
-          </div>
+              </AbsTooltip>
+            </div>
+          {/if}
         </SideNav>
         <slot />
       </Content>

packages/builder/src/pages/builder/apps/index.svelte

@@ -22,7 +22,7 @@
   import Spaceman from "assets/bb-space-man.svg"
   import Logo from "assets/bb-emblem.svg"
   import { UserAvatar } from "@budibase/frontend-core"
-  import { helpers } from "@budibase/shared-core"
+  import { helpers, sdk } from "@budibase/shared-core"
 
   let loaded = false
   let userInfoModal
@@ -43,32 +43,30 @@
   $: userGroups = $groups.filter(group =>
     group.users.find(user => user._id === $auth.user?._id)
   )
-  let userApps = []
   $: publishedApps = $apps.filter(publishedAppsOnly)
+  $: userApps = getUserApps($auth.user)
 
-  $: {
+  function getUserApps(user) {
-    if (!Object.keys($auth.user?.roles).length && $auth.user?.userGroups) {
+    if (sdk.users.isAdmin(user)) {
-      userApps =
+      return publishedApps
-        $auth.user?.builder?.global || $auth.user?.admin?.global
-          ? publishedApps
-          : publishedApps.filter(app => {
-              return userGroups.find(group => {
-                return groups.actions
-                  .getGroupAppIds(group)
-                  .map(role => apps.extractAppId(role))
-                  .includes(app.appId)
-              })
-            })
-    } else {
-      userApps =
-        $auth.user?.builder?.global || $auth.user?.admin?.global
-          ? publishedApps
-          : publishedApps.filter(app =>
-              Object.keys($auth.user?.roles)
-                .map(x => apps.extractAppId(x))
-                .includes(app.appId)
-            )
     }
+    return publishedApps.filter(app => {
+      if (sdk.users.isBuilder(user, app.appId)) {
+        return true
+      }
+      if (!Object.keys(user?.roles).length && user?.userGroups) {
+        return userGroups.find(group => {
+          return groups.actions
+            .getGroupAppIds(group)
+            .map(role => apps.extractAppId(role))
+            .includes(app.appId)
+        })
+      } else {
+        return Object.keys($auth.user?.roles)
+          .map(x => apps.extractAppId(x))
+          .includes(app.appId)
+      }
+    })
   }
 
   function getUrl(app) {
@@ -109,7 +107,7 @@
               >
                 Update password
               </MenuItem>
-              {#if $auth.isBuilder}
+              {#if sdk.users.hasBuilderPermissions($auth.user)}
                 <MenuItem
                   icon="UserDeveloper"
                   on:click={() => $goto("../portal")}

packages/builder/src/pages/builder/index.svelte

@@ -1,11 +1,12 @@
 <script>
   import { redirect } from "@roxi/routify"
   import { auth } from "stores/portal"
+  import { sdk } from "@budibase/shared-core"
 
   auth.checkQueryString()
 
   $: {
-    if ($auth.user?.builder?.global) {
+    if (sdk.users.hasBuilderPermissions($auth.user)) {
       $redirect(`./portal`)
     } else if ($auth.user) {
       $redirect(`./apps`)

packages/builder/src/pages/builder/portal/_components/UpgradeButton.svelte

@@ -3,6 +3,7 @@
   import { goto } from "@roxi/routify"
   import { auth, admin, licensing } from "stores/portal"
   import { isEnabled, TENANT_FEATURE_FLAGS } from "helpers/featureFlags"
+  import { sdk } from "@budibase/shared-core"
 </script>
 
 {#if isEnabled(TENANT_FEATURE_FLAGS.LICENSING) && !$licensing.isEnterprisePlan}
@@ -17,7 +18,7 @@
     >
       Upgrade
     </Button>
-  {:else if !$admin.cloud && $auth.isAdmin}
+  {:else if !$admin.cloud && sdk.users.isAdmin($auth.user)}
     <Button
       cta
       size="S"

packages/builder/src/pages/builder/portal/_layout.svelte

@@ -8,13 +8,14 @@
   import Logo from "./_components/Logo.svelte"
   import UserDropdown from "./_components/UserDropdown.svelte"
   import HelpMenu from "components/common/HelpMenu.svelte"
+  import { sdk } from "@budibase/shared-core"
 
   let loaded = false
   let mobileMenuVisible = false
   let activeTab = "Apps"
 
   $: $url(), updateActiveTab($menu)
-  $: fullscreen = !$apps.length
+  $: isOnboarding = !$apps.length && sdk.users.isGlobalBuilder($auth.user)
 
   const updateActiveTab = menu => {
     for (let entry of menu) {
@@ -33,7 +34,7 @@
   onMount(async () => {
     // Prevent non-builders from accessing the portal
     if ($auth.user) {
-      if (!$auth.user?.builder?.global) {
+      if (!sdk.users.hasBuilderPermissions($auth.user)) {
         $redirect("../")
       } else {
         try {
@@ -49,7 +50,7 @@
 </script>
 
 {#if $auth.user && loaded}
-  {#if fullscreen}
+  {#if isOnboarding}
     <slot />
   {:else}
     <HelpMenu />

packages/builder/src/pages/builder/portal/account/upgrade.svelte

@@ -19,6 +19,7 @@
   import DeleteLicenseKeyModal from "../../../../components/portal/licensing/DeleteLicenseKeyModal.svelte"
   import { API } from "api"
   import { onMount } from "svelte"
+  import { sdk } from "@budibase/shared-core"
 
   $: license = $auth.user.license
   $: upgradeUrl = `${$admin.accountPortalUrl}/portal/upgrade`
@@ -176,7 +177,7 @@
   })
 </script>
 
-{#if $auth.isAdmin}
+{#if sdk.users.isAdmin($auth.user)}
   <DeleteLicenseKeyModal
     bind:this={deleteLicenseKeyModal}
     onConfirm={deleteLicenseKey}

packages/builder/src/pages/builder/portal/account/usage.svelte

@@ -14,6 +14,7 @@
   import { Constants } from "@budibase/frontend-core"
   import { DashCard, Usage } from "components/usage"
   import { PlanModel } from "constants"
+  import { sdk } from "@budibase/shared-core"
 
   let staticUsage = []
   let monthlyUsage = []
@@ -51,7 +52,8 @@
   $: accountPortalAccess = $auth?.user?.accountPortalAccess
   $: quotaReset = quotaUsage?.quotaReset
   $: canManagePlan =
-    ($admin.cloud && accountPortalAccess) || (!$admin.cloud && $auth.isAdmin)
+    ($admin.cloud && accountPortalAccess) ||
+    (!$admin.cloud && sdk.users.isAdmin($auth.user))
 
   $: showButton = !usesInvoicing && accountPortalAccess
 

packages/builder/src/pages/builder/portal/apps/_layout.svelte

@@ -1,11 +1,19 @@
 <script>
   import { notifications } from "@budibase/bbui"
-  import { admin, apps, templates, licensing, groups } from "stores/portal"
+  import {
+    admin,
+    apps,
+    templates,
+    licensing,
+    groups,
+    auth,
+  } from "stores/portal"
   import { onMount } from "svelte"
   import { redirect } from "@roxi/routify"
+  import { sdk } from "@budibase/shared-core"
 
   // Don't block loading if we've already hydrated state
-  let loaded = $apps.length > 0
+  let loaded = $apps.length != null
 
   onMount(async () => {
     try {
@@ -25,7 +33,7 @@
       }
 
       // Go to new app page if no apps exists
-      if (!$apps.length) {
+      if (!$apps.length && sdk.users.isGlobalBuilder($auth.user)) {
         $redirect("./onboarding")
       }
     } catch (error) {

packages/builder/src/pages/builder/portal/apps/index.svelte

@@ -15,6 +15,7 @@
   import CreateAppModal from "components/start/CreateAppModal.svelte"
   import AppLimitModal from "components/portal/licensing/AppLimitModal.svelte"
   import AccountLockedModal from "components/portal/licensing/AccountLockedModal.svelte"
+  import { sdk } from "@budibase/shared-core"
 
   import { store, automationStore } from "builderStore"
   import { API } from "api"
@@ -203,40 +204,40 @@
   })
 </script>
 
-{#if $apps.length}
+<Page>
-  <Page>
+  <Layout noPadding gap="L">
-    <Layout noPadding gap="L">
+    {#each Object.keys(automationErrors || {}) as appId}
-      {#each Object.keys(automationErrors || {}) as appId}
+      <Notification
-        <Notification
+        wide
-          wide
+        dismissable
-          dismissable
+        action={() => goToAutomationError(appId)}
-          action={() => goToAutomationError(appId)}
+        type="error"
-          type="error"
+        icon="Alert"
-          icon="Alert"
+        actionMessage={errorCount(automationErrors[appId]) > 1
-          actionMessage={errorCount(automationErrors[appId]) > 1
+          ? "View errors"
-            ? "View errors"
+          : "View error"}
-            : "View error"}
+        on:dismiss={async () => {
-          on:dismiss={async () => {
+          await automationStore.actions.clearLogErrors({ appId })
-            await automationStore.actions.clearLogErrors({ appId })
+          await apps.load()
-            await apps.load()
+        }}
-          }}
+        message={automationErrorMessage(appId)}
-          message={automationErrorMessage(appId)}
+      />
-        />
+    {/each}
-      {/each}
+    <div class="title">
-      <div class="title">
+      <div class="welcome">
-        <div class="welcome">
+        <Layout noPadding gap="XS">
-          <Layout noPadding gap="XS">
+          <Heading size="L">{welcomeHeader}</Heading>
-            <Heading size="L">{welcomeHeader}</Heading>
+          <Body size="M">
-            <Body size="M">
+            Below you'll find the list of apps that you have access to
-              Manage your apps and get a head start with templates
+          </Body>
-            </Body>
+        </Layout>
-          </Layout>
-        </div>
       </div>
+    </div>
 
-      {#if enrichedApps.length}
+    {#if enrichedApps.length}
-        <Layout noPadding gap="L">
+      <Layout noPadding gap="L">
-          <div class="title">
+        <div class="title">
+          {#if $auth.user && sdk.users.isGlobalBuilder($auth.user)}
             <div class="buttons">
               <Button
                 size="M"
@@ -266,41 +267,46 @@
                 </Button>
               {/if}
             </div>
-            {#if enrichedApps.length > 1}
+          {/if}
-              <div class="app-actions">
+          {#if enrichedApps.length > 1}
-                <Select
+            <div class="app-actions">
-                  autoWidth
+              <Select
-                  bind:value={sortBy}
+                autoWidth
-                  placeholder={null}
+                bind:value={sortBy}
-                  options={[
+                placeholder={null}
-                    { label: "Sort by name", value: "name" },
+                options={[
-                    { label: "Sort by recently updated", value: "updated" },
+                  { label: "Sort by name", value: "name" },
-                    { label: "Sort by status", value: "status" },
+                  { label: "Sort by recently updated", value: "updated" },
-                  ]}
+                  { label: "Sort by status", value: "status" },
-                />
+                ]}
-                <Search placeholder="Search" bind:value={searchTerm} />
+              />
-              </div>
+              <Search placeholder="Search" bind:value={searchTerm} />
-            {/if}
+            </div>
-          </div>
+          {/if}
-
-          <div class="app-table">
-            {#each filteredApps as app (app.appId)}
-              <AppRow {app} lockedAction={usersLimitLockAction} />
-            {/each}
-          </div>
-        </Layout>
-      {/if}
-
-      {#if creatingFromTemplate}
-        <div class="empty-wrapper">
-          <img class="img-logo img-size" alt="logo" src={Logo} />
-          <p>Creating your Budibase app from your selected template...</p>
-          <Spinner size="10" />
         </div>
-      {/if}
+
-    </Layout>
+        <div class="app-table">
-  </Page>
+          {#each filteredApps as app (app.appId)}
-{/if}
+            <AppRow {app} lockedAction={usersLimitLockAction} />
+          {/each}
+        </div>
+      </Layout>
+    {:else}
+      <div class="no-apps">
+        <img class="spaceman" alt="spaceman" src={Logo} width="100px" />
+        <Body weight="700">You haven't been given access to any apps yet</Body>
+      </div>
+    {/if}
+
+    {#if creatingFromTemplate}
+      <div class="empty-wrapper">
+        <img class="img-logo img-size" alt="logo" src={Logo} />
+        <p>Creating your Budibase app from your selected template...</p>
+        <Spinner size="10" />
+      </div>
+    {/if}
+  </Layout>
+</Page>
 
 <Modal
   bind:this={creationModal}
@@ -368,6 +374,16 @@
     height: 160px;
   }
 
+  .no-apps {
+    background-color: var(--spectrum-global-color-gray-100);
+    padding: calc(var(--spacing-xl) * 2);
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    flex-direction: column;
+    gap: var(--spacing-xl);
+  }
+
   @media (max-width: 1000px) {
     .img-logo {
       display: none;

packages/builder/src/pages/builder/portal/settings/branding.svelte

@@ -18,6 +18,7 @@
   import { API } from "api"
   import { onMount } from "svelte"
   import { goto } from "@roxi/routify"
+  import { sdk } from "@budibase/shared-core"
 
   const imageExtensions = [
     ".png",
@@ -206,7 +207,7 @@
   })
 </script>
 
-{#if $auth.isAdmin && mounted}
+{#if sdk.users.isAdmin($auth.user) && mounted}
   <Layout noPadding>
     <Layout gap="XS" noPadding>
       <div class="title">
@@ -400,7 +401,7 @@
           on:click={() => {
             if (isCloud && $auth?.user?.accountPortalAccess) {
               window.open($admin.accountPortalUrl + "/portal/upgrade", "_blank")
-            } else if ($auth.isAdmin) {
+            } else if (sdk.users.isAdmin($auth.user)) {
               $goto("/builder/portal/account/upgrade")
             }
           }}

packages/builder/src/pages/builder/portal/settings/diagnostics.svelte

@@ -13,6 +13,7 @@
   import { redirect } from "@roxi/routify"
   import { API } from "api"
   import { onMount } from "svelte"
+  import { sdk } from "@budibase/shared-core"
 
   let diagnosticInfo = ""
 
@@ -46,7 +47,7 @@
   })
 </script>
 
-{#if $auth.isAdmin && diagnosticInfo}
+{#if sdk.users.isAdmin($auth.user) && diagnosticInfo}
   <Layout noPadding>
     <Layout gap="XS">
       <Heading size="M">Diagnostics</Heading>

packages/builder/src/pages/builder/portal/settings/organisation.svelte

@@ -13,10 +13,11 @@
   import { auth, organisation, admin } from "stores/portal"
   import { writable } from "svelte/store"
   import { redirect } from "@roxi/routify"
+  import { sdk } from "@budibase/shared-core"
 
   // Only admins allowed here
   $: {
-    if (!$auth.isAdmin) {
+    if (!sdk.users.isAdmin($auth.user)) {
       $redirect("../../portal")
     }
   }
@@ -50,7 +51,7 @@
   }
 </script>
 
-{#if $auth.isAdmin}
+{#if sdk.users.isAdmin($auth.user)}
   <Layout noPadding>
     <Layout gap="XS" noPadding>
       <Heading size="M">Organisation</Heading>

packages/builder/src/pages/builder/portal/settings/version.svelte

@@ -14,6 +14,7 @@
   import { API } from "api"
   import { auth, admin } from "stores/portal"
   import { redirect } from "@roxi/routify"
+  import { sdk } from "@budibase/shared-core"
 
   let version
   let loaded = false
@@ -25,7 +26,7 @@
 
   // Only admins allowed here
   $: {
-    if (!$auth.isAdmin || $admin.cloud) {
+    if (!sdk.users.isAdmin($auth.user) || $admin.cloud) {
       $redirect("../../portal")
     }
   }
@@ -89,7 +90,7 @@
   })
 </script>
 
-{#if $auth.isAdmin}
+{#if sdk.users.isAdmin($auth.user)}
   <Layout noPadding>
     <Layout gap="XS" noPadding>
       <Heading size="M">Version</Heading>

packages/builder/src/pages/builder/portal/users/groups/[groupId].svelte

@@ -20,6 +20,7 @@
   import CreateEditGroupModal from "./_components/CreateEditGroupModal.svelte"
   import GroupIcon from "./_components/GroupIcon.svelte"
   import GroupUsers from "./_components/GroupUsers.svelte"
+  import { sdk } from "@budibase/shared-core"
 
   export let groupId
 
@@ -46,7 +47,7 @@
   let editModal, deleteModal
 
   $: scimEnabled = $features.isScimEnabled
-  $: readonly = !$auth.isAdmin || scimEnabled
+  $: readonly = !sdk.users.isAdmin($auth.user) || scimEnabled
   $: group = $groups.find(x => x._id === groupId)
   $: groupApps = $apps
     .filter(app =>

packages/builder/src/pages/builder/portal/users/groups/_components/EditUserPicker.svelte

@@ -3,6 +3,7 @@
   import UserGroupPicker from "components/settings/UserGroupPicker.svelte"
   import { createPaginationStore } from "helpers/pagination"
   import { auth, groups, users } from "stores/portal"
+  import { sdk } from "@budibase/shared-core"
 
   export let groupId
   export let onUsersUpdated
@@ -13,7 +14,7 @@
   let prevSearch = undefined
   let pageInfo = createPaginationStore()
 
-  $: readonly = !$auth.isAdmin
+  $: readonly = !sdk.users.isAdmin($auth.user)
   $: page = $pageInfo.page
   $: searchUsers(page, searchTerm)
   $: group = $groups.find(x => x._id === groupId)

packages/builder/src/pages/builder/portal/users/groups/_components/GroupUsers.svelte

@@ -9,6 +9,7 @@
   import { setContext } from "svelte"
   import ScimBanner from "../../_components/SCIMBanner.svelte"
   import RemoveUserTableRenderer from "../_components/RemoveUserTableRenderer.svelte"
+  import { sdk } from "@budibase/shared-core"
 
   export let groupId
 
@@ -49,7 +50,7 @@
   ]
 
   $: scimEnabled = $features.isScimEnabled
-  $: readonly = !$auth.isAdmin || scimEnabled
+  $: readonly = !sdk.users.isAdmin($auth.user) || scimEnabled
 
   const removeUser = async id => {
     await groups.actions.removeUser(groupId, id)

packages/builder/src/pages/builder/portal/users/groups/_components/RemoveUserTableRenderer.svelte

@@ -2,6 +2,7 @@
   import { ActionButton } from "@budibase/bbui"
   import { getContext } from "svelte"
   import { auth } from "stores/portal"
+  import { sdk } from "@budibase/shared-core"
 
   export let value
 
@@ -13,6 +14,10 @@
   }
 </script>
 
-<ActionButton disabled={!$auth.isAdmin} size="S" on:click={onClick}>
+<ActionButton
+  disabled={!sdk.users.isAdmin($auth.user)}
+  size="S"
+  on:click={onClick}
+>
   Remove
 </ActionButton>

packages/builder/src/pages/builder/portal/users/groups/index.svelte

@@ -22,6 +22,7 @@
   import GroupNameTableRenderer from "./_components/GroupNameTableRenderer.svelte"
   import { goto } from "@roxi/routify"
   import ScimBanner from "../_components/SCIMBanner.svelte"
+  import { sdk } from "@budibase/shared-core"
 
   const DefaultGroup = {
     name: "",
@@ -40,7 +41,7 @@
     { column: "roles", component: GroupAppsTableRenderer },
   ]
 
-  $: readonly = !$auth.isAdmin
+  $: readonly = !sdk.users.isAdmin($auth.user)
   $: schema = {
     name: { displayName: "Group", width: "2fr", minWidth: "200px" },
     users: { sortable: false, width: "1fr" },

packages/builder/src/pages/builder/portal/users/users/[userId].svelte

@@ -31,6 +31,7 @@
   import AppNameTableRenderer from "./_components/AppNameTableRenderer.svelte"
   import AppRoleTableRenderer from "./_components/AppRoleTableRenderer.svelte"
   import ScimBanner from "../_components/SCIMBanner.svelte"
+  import { sdk } from "@budibase/shared-core"
 
   export let userId
 
@@ -87,8 +88,8 @@
 
   $: scimEnabled = $features.isScimEnabled
   $: isSSO = !!user?.provider
-  $: readonly = !$auth.isAdmin || scimEnabled
+  $: readonly = !sdk.users.isAdmin($auth.user) || scimEnabled
-  $: privileged = user?.admin?.global || user?.builder?.global
+  $: privileged = sdk.users.isAdminOrBuilder(user)
   $: nameLabel = getNameLabel(user)
   $: filteredGroups = getFilteredGroups($groups, searchTerm)
   $: availableApps = getAvailableApps($apps, privileged, user?.roles)
@@ -97,9 +98,9 @@
       return y._id === userId
     })
   })
-  $: globalRole = user?.admin?.global
+  $: globalRole = sdk.users.isAdmin(user)
     ? "admin"
-    : user?.builder?.global
+    : sdk.users.isBuilder(user)
     ? "developer"
     : "appUser"
 
@@ -285,7 +286,7 @@
           <div class="field">
             <Label size="L">Role</Label>
             <Select
-              disabled={!$auth.isAdmin}
+              disabled={!sdk.users.isAdmin($auth.user)}
               value={globalRole}
               options={Constants.BudibaseRoleOptions}
               on:change={updateUserRole}

packages/builder/src/pages/builder/portal/users/users/_components/AppsTableRenderer.svelte

@@ -1,11 +1,12 @@
 <script>
   import { Icon } from "@budibase/bbui"
   import { apps } from "stores/portal"
+  import { sdk } from "@budibase/shared-core"
 
   export let value
   export let row
 
-  $: priviliged = row?.admin?.global || row?.builder?.global
+  $: priviliged = sdk.users.isAdminOrBuilder(row)
   $: count = priviliged ? $apps.length : value?.length || 0
 </script>
 

packages/builder/src/pages/builder/portal/users/users/_components/RemoveGroupTableRenderer.svelte

@@ -2,6 +2,7 @@
   import { ActionButton } from "@budibase/bbui"
   import { getContext } from "svelte"
   import { auth } from "stores/portal"
+  import { sdk } from "@budibase/shared-core"
 
   export let value
 
@@ -13,6 +14,10 @@
   }
 </script>
 
-<ActionButton disabled={!$auth.isAdmin} size="S" on:click={onClick}>
+<ActionButton
+  disabled={!sdk.users.isAdmin($auth.user)}
+  size="S"
+  on:click={onClick}
+>
   Remove
 </ActionButton>

packages/builder/src/pages/builder/portal/users/users/_components/UpdateRolesModal.svelte

@@ -2,6 +2,7 @@
   import { createEventDispatcher } from "svelte"
   import { Body, Select, ModalContent, notifications } from "@budibase/bbui"
   import { users } from "stores/portal"
+  import { sdk } from "@budibase/shared-core"
 
   export let app
   export let user
@@ -15,7 +16,7 @@
     .filter(role => role._id !== "PUBLIC")
     .map(role => ({ value: role._id, label: role.name }))
 
-  if (!user?.builder?.global) {
+  if (!sdk.users.isBuilder(user, app?.appId)) {
     options.push({ value: NO_ACCESS, label: "No Access" })
   }
   let selectedRole = user?.roles?.[app?._id]

packages/builder/src/pages/builder/portal/users/users/index.svelte

@@ -39,6 +39,7 @@
   import { API } from "api"
   import { OnboardingType } from "../../../../../constants"
   import ScimBanner from "../_components/SCIMBanner.svelte"
+  import { sdk } from "@budibase/shared-core"
 
   const fetch = fetchData({
     API,
@@ -66,7 +67,7 @@
   let userData = []
 
   $: isOwner = $auth.accountPortalAccess && $admin.cloud
-  $: readonly = !$auth.isAdmin || $features.isScimEnabled
+  $: readonly = !sdk.users.isAdmin($auth.user) || $features.isScimEnabled
 
   $: debouncedUpdateFetch(searchEmail)
   $: schema = {

packages/builder/src/stores/portal/auth.js

@@ -2,6 +2,7 @@ import { derived, writable, get } from "svelte/store"
 import { API } from "api"
 import { admin } from "stores/portal"
 import analytics from "analytics"
+import { sdk } from "@budibase/shared-core"
 
 export function createAuthStore() {
   const auth = writable({
@@ -13,13 +14,6 @@ export function createAuthStore() {
     postLogout: false,
   })
   const store = derived(auth, $store => {
-    let isAdmin = false
-    let isBuilder = false
-    if ($store.user) {
-      const user = $store.user
-      isAdmin = !!user.admin?.global
-      isBuilder = !!user.builder?.global
-    }
     return {
       user: $store.user,
       accountPortalAccess: $store.accountPortalAccess,
@@ -27,8 +21,6 @@ export function createAuthStore() {
       tenantSet: $store.tenantSet,
       loaded: $store.loaded,
       postLogout: $store.postLogout,
-      isAdmin,
-      isBuilder,
       isSSO: !!$store.user?.provider,
     }
   })
@@ -57,8 +49,8 @@ export function createAuthStore() {
               name: user.account?.name,
               user_id: user._id,
               tenant: user.tenantId,
-              admin: user?.admin?.global,
+              admin: sdk.users.isAdmin(user),
-              builder: user?.builder?.global,
+              builder: sdk.users.isBuilder(user),
               "Company size": user.account?.size,
               "Job role": user.account?.profession,
             },

packages/builder/src/stores/portal/menu.js

@@ -2,8 +2,12 @@ import { derived } from "svelte/store"
 import { isEnabled, TENANT_FEATURE_FLAGS } from "helpers/featureFlags"
 import { admin } from "./admin"
 import { auth } from "./auth"
+import { sdk } from "@budibase/shared-core"
 
 export const menu = derived([admin, auth], ([$admin, $auth]) => {
+  const user = $auth?.user
+  const isAdmin = sdk.users.isAdmin(user)
+  const cloud = $admin?.cloud
   // Determine user sub pages
   let userSubPages = [
     {
@@ -24,19 +28,21 @@ export const menu = derived([admin, auth], ([$admin, $auth]) => {
       title: "Apps",
       href: "/builder/portal/apps",
     },
-    {
+  ]
+  if (sdk.users.isGlobalBuilder(user)) {
+    menu.push({
       title: "Users",
       href: "/builder/portal/users",
       subPages: userSubPages,
-    },
+    })
-    {
+    menu.push({
       title: "Plugins",
       href: "/builder/portal/plugins",
-    },
+    })
-  ]
+  }
 
   // Add settings page for admins
-  if ($auth.isAdmin) {
+  if (isAdmin) {
     let settingsSubPages = [
       {
         title: "Auth",
@@ -59,7 +65,7 @@ export const menu = derived([admin, auth], ([$admin, $auth]) => {
         href: "/builder/portal/settings/environment",
       },
     ]
-    if (!$admin.cloud) {
+    if (!cloud) {
       settingsSubPages.push({
         title: "Version",
         href: "/builder/portal/settings/version",
@@ -84,38 +90,35 @@ export const menu = derived([admin, auth], ([$admin, $auth]) => {
         href: "/builder/portal/account/usage",
       },
     ]
-    if ($auth.isAdmin) {
+    if (isAdmin) {
       accountSubPages.push({
         title: "Audit Logs",
         href: "/builder/portal/account/auditLogs",
       })
 
-      if (!$admin.cloud) {
+      if (!cloud) {
         accountSubPages.push({
           title: "System Logs",
           href: "/builder/portal/account/systemLogs",
         })
       }
     }
-    if ($admin.cloud && $auth?.user?.accountPortalAccess) {
+    if (cloud && user?.accountPortalAccess) {
       accountSubPages.push({
         title: "Upgrade",
-        href: $admin.accountPortalUrl + "/portal/upgrade",
+        href: $admin?.accountPortalUrl + "/portal/upgrade",
       })
-    } else if (!$admin.cloud && $auth.isAdmin) {
+    } else if (!cloud && isAdmin) {
       accountSubPages.push({
         title: "Upgrade",
         href: "/builder/portal/account/upgrade",
       })
     }
     // add license check here
-    if (
+    if (user?.accountPortalAccess && user.account.stripeCustomerId) {
-      $auth?.user?.accountPortalAccess &&
-      $auth.user.account.stripeCustomerId
-    ) {
       accountSubPages.push({
         title: "Billing",
-        href: $admin.accountPortalUrl + "/portal/billing",
+        href: $admin?.accountPortalUrl + "/portal/billing",
       })
     }
     menu.push({

packages/builder/src/stores/portal/users.js

@@ -2,6 +2,7 @@ import { writable } from "svelte/store"
 import { API } from "api"
 import { update } from "lodash"
 import { licensing } from "."
+import { sdk } from "@budibase/shared-core"
 
 export function createUsersStore() {
   const { subscribe, set } = writable({})
@@ -111,8 +112,12 @@ export function createUsersStore() {
     return await API.saveUser(user)
   }
 
-  const getUserRole = ({ admin, builder }) =>
+  const getUserRole = user =>
-    admin?.global ? "admin" : builder?.global ? "developer" : "appUser"
+    sdk.users.isAdmin(user)
+      ? "admin"
+      : sdk.users.isBuilder(user)
+      ? "developer"
+      : "appUser"
 
   const refreshUsage =
     fn =>

packages/cli/package.json

@@ -14,6 +14,7 @@
     "tsc": "tsc -p tsconfig.build.json",
     "pkg": "pkg . --out-path build --no-bytecode --public --public-packages \"*\" -C GZip",
     "build": "yarn prebuild && yarn rename && yarn tsc && yarn pkg && yarn postbuild",
+    "check:types": "tsc -p tsconfig.json --noEmit --paths null",
     "postbuild": "rm -rf prebuilds 2> /dev/null"
   },
   "pkg": {
@@ -45,7 +46,7 @@
     "lookpath": "1.1.0",
     "node-fetch": "2.6.7",
     "pkg": "5.8.0",
-    "posthog-node": "1.0.7",
+    "posthog-node": "1.3.0",
     "pouchdb": "7.3.0",
     "pouchdb-replication-stream": "1.2.9",
     "randomstring": "1.1.5",
@@ -70,7 +71,8 @@
         "dependsOn": [
           {
             "projects": [
-              "@budibase/backend-core"
+              "@budibase/backend-core",
+              "@budibase/string-templates"
             ],
             "target": "build"
           }

packages/cli/tsconfig.json

@@ -16,7 +16,6 @@
     "require": ["tsconfig-paths/register"],
     "swc": true
   },
-  "references": [{ "path": "../types" }, { "path": "../backend-core" }],
   "include": ["src/**/*", "package.json"],
   "exclude": ["node_modules", "dist"]
 }

packages/client/package.json

@@ -70,14 +70,26 @@
         "dependsOn": [
           {
             "projects": [
+              "@budibase/shared-core",
               "@budibase/string-templates",
-              "@budibase/shared-core"
+              "@budibase/types"
+            ],
+            "target": "build"
+          }
+        ]
+      },
+      "dev:builder": {
+        "dependsOn": [
+          {
+            "projects": [
+              "@budibase/shared-core",
+              "@budibase/string-templates",
+              "@budibase/types"
             ],
             "target": "build"
           }
         ]
       }
     }
-  },
+  }
-  "gitHead": "d1836a898cab3f8ab80ee6d8f42be1a9eed7dcdc"
 }

packages/client/rollup.config.js

@@ -25,11 +25,11 @@ const devPaths = production
   : [
       {
         find: "@budibase/shared-core",
-        replacement: path.resolve("../shared-core/dist/mjs/src/index"),
+        replacement: path.resolve("../shared-core/dist/index"),
       },
       {
         find: "@budibase/types",
-        replacement: path.resolve("../types/dist/mjs/index"),
+        replacement: path.resolve("../types/dist/index"),
       },
     ]
 

packages/pro

@@ -1 +1 @@
-Subproject commit 63fa1b15f6e2afa8a264d597157fd798c9ce031c
+Subproject commit cf3bef2aad9c739111b306fd0712397adc363f81

packages/server/nodemon.json

@@ -1,10 +1,13 @@
 {
-  "watch": ["src", "../backend-core", "../pro"],
+  "watch": [
-  "ext": "js,ts,json",
+    "src",
-  "ignore": [
+    "../backend-core",
-    "src/**/*.spec.ts",
+    "../pro",
-    "src/**/*.spec.js",
+    "../types",
-    "../backend-core/dist/**/*"
+    "../shared-core",
+    "../string-templates"
   ],
+  "ext": "js,ts,json",
+  "ignore": ["src/**/*.spec.ts", "src/**/*.spec.js", "../*/dist/**/*"],
   "exec": "yarn build && node ./dist/index.js"
 }

packages/server/package.json

@@ -11,7 +11,7 @@
   "scripts": {
     "prebuild": "rimraf dist/",
     "build": "node ./scripts/build.js",
-    "check:types": "tsc -p tsconfig.build.json --noEmit",
+    "check:types": "tsc -p tsconfig.json --noEmit --paths null",
     "postbuild": "copyfiles -f ../client/dist/budibase-client.js ../client/manifest.json client",
     "build:dev": "yarn prebuild && tsc --build --watch --preserveWatchOutput",
     "debug": "yarn build && node --expose-gc --inspect=9222 dist/index.js",
@@ -179,31 +179,5 @@
   },
   "optionalDependencies": {
     "oracledb": "5.3.0"
-  },
+  }
-  "nx": {
-    "targets": {
-      "dev:builder": {
-        "dependsOn": [
-          {
-            "projects": [
-              "@budibase/backend-core"
-            ],
-            "target": "build"
-          }
-        ]
-      },
-      "test": {
-        "dependsOn": [
-          {
-            "projects": [
-              "@budibase/string-templates",
-              "@budibase/shared-core"
-            ],
-            "target": "build"
-          }
-        ]
-      }
-    }
-  },
-  "gitHead": "d1836a898cab3f8ab80ee6d8f42be1a9eed7dcdc"
 }

packages/server/scripts/integrations/postgres/init.sql

@@ -1,6 +1,6 @@
 SELECT 'CREATE DATABASE main'
 WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'main')\gexec
-CREATE SCHEMA test;
+CREATE SCHEMA "test-1";
 CREATE TYPE person_job AS ENUM ('qa', 'programmer', 'designer');
 CREATE TABLE Persons (
     PersonID SERIAL PRIMARY KEY,
@@ -39,7 +39,7 @@ CREATE TABLE Products_Tasks (
             REFERENCES Tasks(TaskID),
     PRIMARY KEY (ProductID, TaskID)
 );
-CREATE TABLE test.table1 (
+CREATE TABLE "test-1".table1 (
   id SERIAL PRIMARY KEY,
   Name varchar(255)
 );
@@ -60,7 +60,7 @@ INSERT INTO Products_Tasks (ProductID, TaskID) VALUES (1, 1);
 INSERT INTO Products_Tasks (ProductID, TaskID) VALUES (2, 1);
 INSERT INTO Products_Tasks (ProductID, TaskID) VALUES (3, 1);
 INSERT INTO Products_Tasks (ProductID, TaskID) VALUES (1, 2);
-INSERT INTO test.table1 (Name) VALUES ('Test');
+INSERT INTO "test-1".table1 (Name) VALUES ('Test');
 INSERT INTO CompositeTable (KeyPartOne, KeyPartTwo, Name) VALUES ('aaa', 'bbb', 'Michael');
 INSERT INTO CompositeTable (KeyPartOne, KeyPartTwo, Name) VALUES ('bbb', 'ccc', 'Andrew');
 INSERT INTO CompositeTable (KeyPartOne, KeyPartTwo, Name) VALUES ('ddd', '', 'OneKey');

packages/server/scripts/test.sh

@@ -5,8 +5,8 @@ if [[ -n $CI ]]
 then
   # --runInBand performs better in ci where resources are limited
   export NODE_OPTIONS="--max-old-space-size=4096"
-  echo "jest --coverage --runInBand --forceExit"
+  echo "jest --coverage --runInBand --forceExit --bail"
-  jest --coverage --runInBand --forceExit
+  jest --coverage --runInBand --forceExit --bail
 else
   # --maxWorkers performs better in development
   echo "jest --coverage --maxWorkers=2 --forceExit"

packages/server/src/api/controllers/application.ts

@@ -30,6 +30,7 @@ import {
   objectStore,
   roles,
   tenancy,
+  users,
 } from "@budibase/backend-core"
 import { USERS_TABLE_SCHEMA } from "../../constants"
 import {
@@ -49,8 +50,8 @@ import {
   MigrationType,
   PlanType,
   Screen,
-  SocketSession,
   UserCtx,
+  ContextUser,
 } from "@budibase/types"
 import { BASE_LAYOUT_PROP_IDS } from "../../constants/layouts"
 import sdk from "../../sdk"
@@ -177,32 +178,10 @@ export const addSampleData = async (ctx: UserCtx) => {
 }
 
 export async function fetch(ctx: UserCtx) {
-  const dev = ctx.query && ctx.query.status === AppStatus.DEV
+  ctx.body = await sdk.applications.fetch(
-  const all = ctx.query && ctx.query.status === AppStatus.ALL
+    ctx.query.status as AppStatus,
-  const apps = (await dbCore.getAllApps({ dev, all })) as App[]
+    ctx.user
-
+  )
-  const appIds = apps
-    .filter((app: any) => app.status === "development")
-    .map((app: any) => app.appId)
-
-  // get the locks for all the dev apps
-  if (dev || all) {
-    const locks = await getLocksById(appIds)
-    for (let app of apps) {
-      const lock = locks[app.appId]
-      if (lock) {
-        app.lockedBy = lock
-      } else {
-        // make sure its definitely not present
-        delete app.lockedBy
-      }
-    }
-  }
-
-  // Enrich apps with all builder user sessions
-  const enrichedApps = await sdk.users.sessions.enrichApps(apps)
-
-  ctx.body = await checkAppMetadata(enrichedApps)
 }
 
 export async function fetchAppDefinition(ctx: UserCtx) {
@@ -222,6 +201,7 @@ export async function fetchAppDefinition(ctx: UserCtx) {
 
 export async function fetchAppPackage(ctx: UserCtx) {
   const db = context.getAppDB()
+  const appId = context.getAppId()
   let application = await db.get<any>(DocumentType.APP_METADATA)
   const layouts = await getLayouts()
   let screens = await getScreens()
@@ -233,7 +213,7 @@ export async function fetchAppPackage(ctx: UserCtx) {
   )
 
   // Only filter screens if the user is not a builder
-  if (!(ctx.user.builder && ctx.user.builder.global)) {
+  if (!users.isBuilder(ctx.user, appId)) {
     const userRoleId = getUserRoleId(ctx)
     const accessController = new roles.AccessController()
     screens = await accessController.checkScreensAccess(screens, userRoleId)

packages/server/src/api/controllers/view/viewsV2.ts

@@ -49,12 +49,18 @@ async function parseSchemaUI(ctx: Ctx, view: CreateViewRequest) {
   const schemaUI =
     view.schema &&
     Object.entries(view.schema).reduce((p, [fieldName, schemaValue]) => {
-      p[fieldName] = {
+      const fieldSchema: RequiredKeys<UIFieldMetadata> = {
         order: schemaValue.order,
         width: schemaValue.width,
         visible: schemaValue.visible,
         icon: schemaValue.icon,
       }
+      Object.entries(fieldSchema)
+        .filter(([_, val]) => val === undefined)
+        .forEach(([key]) => {
+          delete fieldSchema[key as keyof UIFieldMetadata]
+        })
+      p[fieldName] = fieldSchema
       return p
     }, {} as Record<string, RequiredKeys<UIFieldMetadata>>)
   return schemaUI
@@ -66,13 +72,14 @@ export async function create(ctx: Ctx<CreateViewRequest, ViewResponse>) {
 
   const schemaUI = await parseSchemaUI(ctx, view)
 
-  const parsedView: Omit<ViewV2, "id" | "version"> = {
+  const parsedView: Omit<RequiredKeys<ViewV2>, "id" | "version"> = {
     name: view.name,
     tableId: view.tableId,
     query: view.query,
     sort: view.sort,
     columns: view.schema && Object.keys(view.schema),
     schemaUI,
+    primaryDisplay: view.primaryDisplay,
   }
   const result = await sdk.views.create(tableId, parsedView)
   ctx.status = 201
@@ -95,7 +102,7 @@ export async function update(ctx: Ctx<UpdateViewRequest, ViewResponse>) {
   const { tableId } = view
 
   const schemaUI = await parseSchemaUI(ctx, view)
-  const parsedView: ViewV2 = {
+  const parsedView: RequiredKeys<ViewV2> = {
     id: view.id,
     name: view.name,
     version: view.version,
@@ -104,6 +111,7 @@ export async function update(ctx: Ctx<UpdateViewRequest, ViewResponse>) {
     sort: view.sort,
     columns: view.schema && Object.keys(view.schema),
     schemaUI,
+    primaryDisplay: view.primaryDisplay,
   }
 
   const result = await sdk.views.update(tableId, parsedView)

packages/server/src/api/routes/application.ts

@@ -15,7 +15,7 @@ router
   )
   .post(
     "/api/applications",
-    authorized(permissions.BUILDER),
+    authorized(permissions.GLOBAL_BUILDER),
     applicationValidator(),
     controller.create
   )
@@ -55,7 +55,7 @@ router
   )
   .delete(
     "/api/applications/:appId",
-    authorized(permissions.BUILDER),
+    authorized(permissions.GLOBAL_BUILDER),
     controller.destroy
   )
 

packages/server/src/api/routes/plugin.ts

@@ -8,14 +8,18 @@ const router: Router = new Router()
 router
   .post(
     "/api/plugin/upload",
-    authorized(permissions.BUILDER),
+    authorized(permissions.GLOBAL_BUILDER),
     controller.upload
   )
-  .post("/api/plugin", authorized(permissions.BUILDER), controller.create)
+  .post(
-  .get("/api/plugin", authorized(permissions.BUILDER), controller.fetch)
+    "/api/plugin",
+    authorized(permissions.GLOBAL_BUILDER),
+    controller.create
+  )
+  .get("/api/plugin", authorized(permissions.GLOBAL_BUILDER), controller.fetch)
   .delete(
     "/api/plugin/:pluginId",
-    authorized(permissions.BUILDER),
+    authorized(permissions.GLOBAL_BUILDER),
     controller.destroy
   )
 

packages/server/src/api/routes/public/index.ts

@@ -7,14 +7,14 @@ import userEndpoints from "./users"
 import authorized from "../../../middleware/authorized"
 import publicApi from "../../../middleware/publicApi"
 import { paramResource, paramSubResource } from "../../../middleware/resourceId"
+import { PermissionType, PermissionLevel } from "@budibase/types"
 import { CtxFn } from "./utils/Endpoint"
 import mapperMiddleware from "./middleware/mapper"
 import env from "../../../environment"
 // below imports don't have declaration files
 const Router = require("@koa/router")
 const { RateLimit, Stores } = require("koa2-ratelimit")
-import { middleware, redis, permissions } from "@budibase/backend-core"
+import { middleware, redis } from "@budibase/backend-core"
-const { PermissionType, PermissionLevel } = permissions
 
 const PREFIX = "/api/public/v1"
 // allow a lot more requests when in test
@@ -111,7 +111,7 @@ function applyAdminRoutes(endpoints: any) {
 
 function applyRoutes(
   endpoints: any,
-  permType: string,
+  permType: PermissionType,
   resource: string,
   subResource?: string
 ) {

packages/server/src/api/routes/tests/utilities/TestFunctions.ts

@@ -36,7 +36,10 @@ export const clearAllApps = async (
   exceptions: Array<string> = []
 ) => {
   await tenancy.doInTenant(tenantId, async () => {
-    const req: any = { query: { status: AppStatus.DEV }, user: { tenantId } }
+    const req: any = {
+      query: { status: AppStatus.DEV },
+      user: { tenantId, builder: { global: true } },
+    }
     await appController.fetch(req)
     const apps = req.body
     if (!apps || apps.length <= 0) {

packages/server/src/api/routes/tests/viewV2.spec.ts

@@ -6,6 +6,7 @@ import {
   SortOrder,
   SortType,
   Table,
+  UpdateViewRequest,
   ViewV2,
 } from "@budibase/types"
 import { generator } from "@budibase/backend-core/tests"
@@ -34,20 +35,6 @@ function priceTable(): Table {
 describe("/v2/views", () => {
   const config = setup.getConfig()
 
-  const viewFilters: Omit<CreateViewRequest, "name" | "tableId"> = {
-    query: { allOr: false, equal: { field: "value" } },
-    sort: {
-      field: "fieldToSort",
-      order: SortOrder.DESCENDING,
-      type: SortType.STRING,
-    },
-    schema: {
-      name: {
-        visible: true,
-      },
-    },
-  }
-
   afterAll(setup.afterAll)
 
   beforeAll(async () => {
@@ -70,20 +57,30 @@ describe("/v2/views", () => {
       })
     })
 
-    it("can persist views with queries", async () => {
+    it("can persist views with all fields", async () => {
-      const newView: CreateViewRequest = {
+      const newView: Required<CreateViewRequest> = {
         name: generator.name(),
         tableId: config.table!._id!,
-        query: viewFilters.query,
+        primaryDisplay: generator.word(),
-        sort: viewFilters.sort,
+        query: { allOr: false, equal: { field: "value" } },
+        sort: {
+          field: "fieldToSort",
+          order: SortOrder.DESCENDING,
+          type: SortType.STRING,
+        },
+        schema: {
+          name: {
+            visible: true,
+          },
+        },
       }
-      delete newView.schema
       const res = await config.api.viewV2.create(newView)
 
       expect(res).toEqual({
         ...newView,
-        query: viewFilters.query,
+        schema: undefined,
-        sort: viewFilters.sort,
+        columns: ["name"],
+        schemaUI: newView.schema,
         id: expect.any(String),
         version: 2,
       })
@@ -210,6 +207,46 @@ describe("/v2/views", () => {
       })
     })
 
+    it("can update all fields", async () => {
+      const tableId = config.table!._id!
+
+      const updatedData: Required<UpdateViewRequest> = {
+        version: view.version,
+        id: view.id,
+        tableId,
+        name: view.name,
+        primaryDisplay: generator.word(),
+        query: { equal: { [generator.word()]: generator.word() } },
+        sort: {
+          field: generator.word(),
+          order: SortOrder.DESCENDING,
+          type: SortType.STRING,
+        },
+        schema: {
+          Category: {
+            visible: false,
+          },
+        },
+      }
+      await config.api.viewV2.update(updatedData)
+
+      expect(await config.api.table.get(tableId)).toEqual({
+        ...config.table,
+        views: {
+          [view.name]: {
+            ...updatedData,
+            schema: {
+              Category: expect.objectContaining({
+                visible: false,
+              }),
+            },
+          },
+        },
+        _rev: expect.any(String),
+        updatedAt: expect.any(String),
+      })
+    })
+
     it("can update an existing view name", async () => {
       const tableId = config.table!._id!
       await config.api.viewV2.update({ ...view, name: "View B" })

packages/server/src/app.ts

@@ -15,7 +15,15 @@ import * as api from "./api"
 import * as automations from "./automations"
 import { Thread } from "./threads"
 import * as redis from "./utilities/redis"
-import { events, logging, middleware, timers } from "@budibase/backend-core"
+import { ServiceType } from "@budibase/types"
+import {
+  events,
+  logging,
+  middleware,
+  timers,
+  env as coreEnv,
+} from "@budibase/backend-core"
+coreEnv._set("SERVICE_TYPE", ServiceType.APPS)
 import { startup } from "./startup"
 const Sentry = require("@sentry/node")
 const destroyable = require("server-destroy")

packages/server/src/automations/tests/openai.spec.ts

@@ -22,6 +22,10 @@ jest.mock(
   }))
 )
 
+const mockedOpenAIApi = openai.OpenAIApi as jest.MockedClass<
+  typeof openai.OpenAIApi
+>
+
 const OPENAI_PROMPT = "What is the meaning of life?"
 
 describe("test the openai action", () => {
@@ -68,11 +72,16 @@ describe("test the openai action", () => {
   })
 
   it("should present the correct error message when an error is thrown from the createChatCompletion call", async () => {
-    openai.OpenAIApi.mockImplementation(() => ({
+    mockedOpenAIApi.mockImplementation(
-      createChatCompletion: jest.fn(() => {
+      () =>
-        throw new Error("An error occurred while calling createChatCompletion")
+        ({
-      }),
+          createChatCompletion: jest.fn(() => {
-    }))
+            throw new Error(
+              "An error occurred while calling createChatCompletion"
+            )
+          }),
+        } as any)
+    )
 
     const res = await setup.runStep("OPENAI", {
       prompt: OPENAI_PROMPT,

packages/server/src/db/utils.ts

@@ -3,10 +3,10 @@ import { db as dbCore } from "@budibase/backend-core"
 
 type Optional = string | null
 
-export const AppStatus = {
+export const enum AppStatus {
-  DEV: "development",
+  DEV = "development",
-  ALL: "all",
+  ALL = "all",
-  DEPLOYED: "published",
+  DEPLOYED = "published",
 }
 
 export const BudibaseInternalDB = {

packages/server/src/environment.ts

@@ -1,3 +1,6 @@
+import { env as coreEnv } from "@budibase/backend-core"
+import { ServiceType } from "@budibase/types"
+coreEnv._set("SERVICE_TYPE", ServiceType.APPS)
 import { join } from "path"
 
 function isTest() {

packages/server/src/integrations/postgres.ts

@@ -210,7 +210,7 @@ class PostgresIntegration extends Sql implements DatasourcePlus {
     if (!this.config.schema) {
       this.config.schema = "public"
     }
-    await this.client.query(`SET search_path TO ${this.config.schema}`)
+    await this.client.query(`SET search_path TO "${this.config.schema}"`)
     this.COLUMNS_SQL = `select * from information_schema.columns where table_schema = '${this.config.schema}'`
     this.open = true
   }

packages/server/src/integrations/tests/googlesheets.spec.ts

@@ -30,7 +30,7 @@ GoogleSpreadsheet.mockImplementation(() => mockGoogleIntegration)
 import { structures } from "@budibase/backend-core/tests"
 import TestConfiguration from "../../tests/utilities/TestConfiguration"
 import GoogleSheetsIntegration from "../googlesheets"
-import { FieldType, Table, TableSchema } from "../../../../types/src/documents"
+import { FieldType, Table, TableSchema } from "@budibase/types"
 
 describe("Google Sheets Integration", () => {
   let integration: any,

packages/server/src/middleware/authorized.ts

@@ -1,5 +1,11 @@
-import { roles, permissions, auth, context } from "@budibase/backend-core"
+import {
-import { Role } from "@budibase/types"
+  auth,
+  context,
+  permissions,
+  roles,
+  users,
+} from "@budibase/backend-core"
+import { PermissionLevel, PermissionType, Role, UserCtx } from "@budibase/types"
 import builderMiddleware from "./builder"
 import { isWebhookEndpoint } from "./utils"
 
@@ -16,15 +22,20 @@ const csrf = auth.buildCsrfMiddleware()
  * - Otherwise the user must have the required role.
  */
 const checkAuthorized = async (
-  ctx: any,
+  ctx: UserCtx,
   resourceRoles: any,
-  permType: any,
+  permType: PermissionType,
-  permLevel: any
+  permLevel: PermissionLevel
 ) => {
+  const appId = context.getAppId()
+  const isGlobalBuilderApi = permType === PermissionType.GLOBAL_BUILDER
+  const isBuilderApi = permType === PermissionType.BUILDER
+  const globalBuilder = users.isGlobalBuilder(ctx.user)
+  let isBuilder = appId
+    ? users.isBuilder(ctx.user, appId)
+    : users.hasBuilderPermissions(ctx.user)
   // check if this is a builder api and the user is not a builder
-  const isBuilder = ctx.user && ctx.user.builder && ctx.user.builder.global
+  if ((isGlobalBuilderApi && !globalBuilder) || (isBuilderApi && !isBuilder)) {
-  const isBuilderApi = permType === permissions.PermissionType.BUILDER
-  if (isBuilderApi && !isBuilder) {
     return ctx.throw(403, "Not Authorized")
   }
 
@@ -35,10 +46,10 @@ const checkAuthorized = async (
 }
 
 const checkAuthorizedResource = async (
-  ctx: any,
+  ctx: UserCtx,
   resourceRoles: any,
-  permType: any,
+  permType: PermissionType,
-  permLevel: any
+  permLevel: PermissionLevel
 ) => {
   // get the user's roles
   const roleId = ctx.roleId || roles.BUILTIN_ROLE_IDS.PUBLIC
@@ -64,8 +75,8 @@ const checkAuthorizedResource = async (
 }
 
 export default (
-    permType: any,
+    permType: PermissionType,
-    permLevel: any = null,
+    permLevel?: PermissionLevel,
     opts = { schema: false }
   ) =>
   async (ctx: any, next: any) => {
@@ -83,12 +94,12 @@ export default (
     let resourceRoles: any = []
     let otherLevelRoles: any = []
     const otherLevel =
-      permLevel === permissions.PermissionLevel.READ
+      permLevel === PermissionLevel.READ
-        ? permissions.PermissionLevel.WRITE
+        ? PermissionLevel.WRITE
-        : permissions.PermissionLevel.READ
+        : PermissionLevel.READ
     const appId = context.getAppId()
     if (appId && hasResource(ctx)) {
-      resourceRoles = await roles.getRequiredResourceRole(permLevel, ctx)
+      resourceRoles = await roles.getRequiredResourceRole(permLevel!, ctx)
       if (opts && opts.schema) {
         otherLevelRoles = await roles.getRequiredResourceRole(otherLevel, ctx)
       }
@@ -110,13 +121,16 @@ export default (
 
     // check general builder stuff, this middleware is a good way
     // to find API endpoints which are builder focused
-    if (permType === permissions.PermissionType.BUILDER) {
+    if (
+      permType === PermissionType.BUILDER ||
+      permType === PermissionType.GLOBAL_BUILDER
+    ) {
       await builderMiddleware(ctx)
     }
 
     try {
       // check authorized
-      await checkAuthorized(ctx, resourceRoles, permType, permLevel)
+      await checkAuthorized(ctx, resourceRoles, permType, permLevel!)
     } catch (err) {
       // this is a schema, check if
       if (opts && opts.schema && permLevel) {

packages/server/src/middleware/builder.ts

@@ -10,7 +10,7 @@ import {
   setDebounce,
 } from "../utilities/redis"
 import { db as dbCore, cache } from "@budibase/backend-core"
-import { UserCtx, Database, App } from "@budibase/types"
+import { UserCtx, Database } from "@budibase/types"
 
 const DEBOUNCE_TIME_SEC = 30
 

packages/server/src/middleware/currentapp.ts

@@ -4,12 +4,13 @@ import {
   roles,
   tenancy,
   context,
+  users,
 } from "@budibase/backend-core"
 import { generateUserMetadataID, isDevAppID } from "../db/utils"
 import { getCachedSelf } from "../utilities/global"
 import env from "../environment"
 import { isWebhookEndpoint } from "./utils"
-import { UserCtx } from "@budibase/types"
+import { UserCtx, ContextUser } from "@budibase/types"
 
 export default async (ctx: UserCtx, next: any) => {
   // try to get the appID from the request
@@ -23,7 +24,7 @@ export default async (ctx: UserCtx, next: any) => {
     if (
       isDevAppID(requestAppId) &&
       !isWebhookEndpoint(ctx) &&
-      (!ctx.user || !ctx.user.builder || !ctx.user.builder.global)
+      !users.isBuilder(ctx.user, requestAppId)
     ) {
       return ctx.redirect("/")
     }
@@ -42,8 +43,7 @@ export default async (ctx: UserCtx, next: any) => {
     roleId = globalUser.roleId || roleId
 
     // Allow builders to specify their role via a header
-    const isBuilder =
+    const isBuilder = users.isBuilder(globalUser, appId)
-      globalUser && globalUser.builder && globalUser.builder.global
     const isDevApp = appId && isDevAppID(appId)
     const roleHeader =
       ctx.request &&
@@ -56,8 +56,7 @@ export default async (ctx: UserCtx, next: any) => {
           roleId = roleHeader
 
           // Delete admin and builder flags so that the specified role is honoured
-          delete ctx.user.builder
+          ctx.user = users.removePortalUserPermissions(ctx.user) as ContextUser
-          delete ctx.user.admin
         }
       } catch (error) {
         // Swallow error and do nothing
@@ -71,7 +70,6 @@ export default async (ctx: UserCtx, next: any) => {
   }
 
   return context.doInAppContext(appId, async () => {
-    let skipCookie = false
     // if the user not in the right tenant then make sure they have no permissions
     // need to judge this only based on the request app ID,
     if (
@@ -81,12 +79,9 @@ export default async (ctx: UserCtx, next: any) => {
       !tenancy.isUserInAppTenant(requestAppId, ctx.user)
     ) {
       // don't error, simply remove the users rights (they are a public user)
-      delete ctx.user.builder
+      ctx.user = users.cleanseUserObject(ctx.user) as ContextUser
-      delete ctx.user.admin
-      delete ctx.user.roles
       ctx.isAuthenticated = false
       roleId = roles.BUILTIN_ROLE_IDS.PUBLIC
-      skipCookie = true
     }
 
     ctx.appId = appId

packages/server/src/middleware/tests/authorized.spec.js

@@ -9,7 +9,7 @@ jest.mock("../../environment", () => ({
 )
 const authorizedMiddleware = require("../authorized").default
 const env = require("../../environment")
-const { permissions } = require("@budibase/backend-core")
+const { PermissionType, PermissionLevel } = require("@budibase/types")
 
 const APP_ID = ""
 
@@ -112,7 +112,7 @@ describe("Authorization middleware", () => {
     
     it("throws if the user does not have builder permissions", async () => {
       config.setEnvironment(false)
-      config.setMiddlewareRequiredPermission(permissions.PermissionType.BUILDER)
+      config.setMiddlewareRequiredPermission(PermissionType.BUILDER)
       config.setUser({
         role: {
           _id: ""
@@ -124,13 +124,13 @@ describe("Authorization middleware", () => {
     })
 
     it("passes on to next() middleware if the user has resource permission", async () => {
-      config.setResourceId(permissions.PermissionType.QUERY)
+      config.setResourceId(PermissionType.QUERY)
       config.setUser({
         role: {
           _id: ""
         }
       })
-      config.setMiddlewareRequiredPermission(permissions.PermissionType.QUERY)
+      config.setMiddlewareRequiredPermission(PermissionType.QUERY)
 
       await config.executeMiddleware()
       expect(config.next).toHaveBeenCalled()
@@ -154,7 +154,7 @@ describe("Authorization middleware", () => {
           _id: ""
         },
       })
-      config.setMiddlewareRequiredPermission(permissions.PermissionType.ADMIN, permissions.PermissionLevel.BASIC)
+      config.setMiddlewareRequiredPermission(PermissionType.ADMIN, PermissionLevel.BASIC)
       
       await config.executeMiddleware()
       expect(config.throw).toHaveBeenCalledWith(403, "User does not have permission")

packages/server/src/migrations/functions/backfill/global/users.ts

@@ -1,4 +1,8 @@
-import { events, db as dbUtils } from "@budibase/backend-core"
+import {
+  events,
+  db as dbUtils,
+  users as usersCore,
+} from "@budibase/backend-core"
 import { User, CloudAccount } from "@budibase/types"
 import { DEFAULT_TIMESTAMP } from ".."
 
@@ -30,11 +34,11 @@ export const backfill = async (
     await events.identification.identifyUser(user, account, timestamp)
     await events.user.created(user, timestamp)
 
-    if (user.admin?.global) {
+    if (usersCore.hasAdminPermissions(user)) {
       await events.user.permissionAdminAssigned(user, timestamp)
     }
 
-    if (user.builder?.global) {
+    if (usersCore.hasBuilderPermissions(user)) {
       await events.user.permissionBuilderAssigned(user, timestamp)
     }
 

packages/server/src/migrations/tests/index.spec.ts

@@ -17,7 +17,7 @@ tk.freeze(timestamp)
 const clearMigrations = async () => {
   const dbs = [context.getDevAppDB(), context.getProdAppDB()]
   for (const db of dbs) {
-    const doc = await db.get(DocumentType.MIGRATIONS)
+    const doc = await db.get<any>(DocumentType.MIGRATIONS)
     const newDoc = { _id: doc._id, _rev: doc._rev }
     await db.put(newDoc)
   }
@@ -52,7 +52,7 @@ describe("migrations", () => {
         await config.createTable()
         await config.createView()
         await config.createTable()
-        await config.createView(structures.view(config.table._id))
+        await config.createView(structures.view(config.table!._id!))
         await config.createScreen()
         await config.createScreen()
 

packages/server/src/sdk/app/applications/applications.ts

@@ -0,0 +1,50 @@
+import { AppStatus } from "../../../db/utils"
+import { App, ContextUser } from "@budibase/types"
+import { getLocksById } from "../../../utilities/redis"
+import { enrichApps } from "../../users/sessions"
+import { checkAppMetadata } from "../../../automations/logging"
+import { db as dbCore, users } from "@budibase/backend-core"
+
+export function filterAppList(user: ContextUser, apps: App[]) {
+  let appList: string[] = []
+  const roleApps = Object.keys(user.roles || {})
+  if (users.hasAppBuilderPermissions(user)) {
+    appList = user.builder?.apps || []
+    appList = appList.concat(roleApps)
+  } else if (!users.isAdminOrBuilder(user)) {
+    appList = roleApps
+  } else {
+    return apps
+  }
+  return apps.filter(app => appList.includes(dbCore.getProdAppID(app.appId)))
+}
+
+export async function fetch(status: AppStatus, user: ContextUser) {
+  const dev = status === AppStatus.DEV
+  const all = status === AppStatus.ALL
+  let apps = (await dbCore.getAllApps({ dev, all })) as App[]
+  apps = filterAppList(user, apps)
+
+  const appIds = apps
+    .filter((app: any) => app.status === "development")
+    .map((app: any) => app.appId)
+
+  // get the locks for all the dev apps
+  if (dev || all) {
+    const locks = await getLocksById(appIds)
+    for (let app of apps) {
+      const lock = locks[app.appId]
+      if (lock) {
+        app.lockedBy = lock
+      } else {
+        // make sure its definitely not present
+        delete app.lockedBy
+      }
+    }
+  }
+
+  // Enrich apps with all builder user sessions
+  const enrichedApps = await enrichApps(apps)
+
+  return await checkAppMetadata(enrichedApps)
+}

packages/server/src/sdk/app/applications/index.ts

@@ -1,7 +1,9 @@
 import * as sync from "./sync"
 import * as utils from "./utils"
+import * as applications from "./applications"
 
 export default {
   ...sync,
   ...utils,
+  ...applications,
 }

packages/server/src/sdk/app/views/index.ts

@@ -87,6 +87,7 @@ export function enrichSchema(view: View | ViewV2, tableSchema: TableSchema) {
           : schema[fieldName].order,
       }
     }
+    delete view.schemaUI
   }
 
   if (view?.columns?.length) {
@@ -98,6 +99,7 @@ export function enrichSchema(view: View | ViewV2, tableSchema: TableSchema) {
       pickedSchema[fieldName] = { ...schema[fieldName] }
     }
     schema = pickedSchema
+    delete view.columns
   }
 
   return {

packages/server/src/utilities/global.ts

@@ -5,6 +5,7 @@ import {
   cache,
   tenancy,
   context,
+  users,
 } from "@budibase/backend-core"
 import env from "../environment"
 import { groups } from "@budibase/pro"
@@ -22,8 +23,7 @@ export function updateAppRole(
   }
   // if in an multi-tenancy environment make sure roles are never updated
   if (env.MULTI_TENANCY && appId && !tenancy.isUserInAppTenant(appId, user)) {
-    delete user.builder
+    user = users.removePortalUserPermissions(user)
-    delete user.admin
     user.roleId = roles.BUILTIN_ROLE_IDS.PUBLIC
     return user
   }
@@ -32,7 +32,7 @@ export function updateAppRole(
     user.roleId = user.roles[dbCore.getProdAppID(appId)]
   }
   // if a role wasn't found then either set as admin (builder) or public (everyone else)
-  if (!user.roleId && user.builder && user.builder.global) {
+  if (!user.roleId && users.isBuilder(user, appId)) {
     user.roleId = roles.BUILTIN_ROLE_IDS.ADMIN
   } else if (!user.roleId && !user?.userGroups?.length) {
     user.roleId = roles.BUILTIN_ROLE_IDS.PUBLIC

packages/server/src/utilities/rowProcessor/tests/utils.spec.ts

@@ -1,18 +1,19 @@
 import { fixAutoColumnSubType } from "../utils"
 import { AutoFieldDefaultNames, AutoFieldSubTypes } from "../../../constants"
+import { FieldSchema, FieldType, RelationshipType } from "@budibase/types"
 
 describe("rowProcessor utility", () => {
   describe("fixAutoColumnSubType", () => {
-    let schema = {
+    let schema: FieldSchema = {
       name: "",
-      type: "link",
+      type: FieldType.LINK,
       subtype: "", // missing subtype
       icon: "ri-magic-line",
       autocolumn: true,
       constraints: { type: "array", presence: false },
       tableId: "ta_users",
       fieldName: "test-Updated By",
-      relationshipType: "many-to-many",
+      relationshipType: RelationshipType.MANY_TO_MANY,
       sortable: false,
     }
 

packages/server/src/utilities/rowProcessor/utils.ts

@@ -5,7 +5,7 @@ import {
   FormulaTypes,
 } from "../../constants"
 import { processStringSync } from "@budibase/string-templates"
-import { FieldSchema, FieldType, Row, Table } from "@budibase/types"
+import { FieldSchema, Row, Table } from "@budibase/types"
 
 /**
  * If the subtype has been lost for any reason this works out what

packages/server/tsconfig.json

@@ -2,15 +2,12 @@
   "extends": "./tsconfig.build.json",
   "compilerOptions": {
     "composite": true,
-    "declaration": true,
+    "baseUrl": "."
-    "sourceMap": true,
-    "baseUrl": ".",
-    "outDir": "dist"
   },
   "ts-node": {
     "require": ["tsconfig-paths/register"],
     "swc": true
   },
-  "include": ["src/**/*", "specs"],
+  "include": ["src/**/*", "specs", "__mocks__"],
   "exclude": ["node_modules", "dist"]
 }

packages/shared-core/package.json

@@ -2,22 +2,22 @@
   "name": "@budibase/shared-core",
   "version": "0.0.0",
   "description": "Shared data utils",
-  "main": "dist/cjs/src/index.js",
+  "main": "src/index.ts",
-  "types": "dist/mjs/src/index.d.ts",
+  "types": "src/index.ts",
   "exports": {
     ".": {
-      "import": "./dist/mjs/src/index.js",
+      "import": "./dist/index.js",
-      "require": "./dist/cjs/src/index.js"
+      "require": "./src/index.ts"
-    },
+    }
-    "./package.json": "./dist/mjs/package.json"
   },
   "author": "Budibase",
   "license": "GPL-3.0",
   "scripts": {
     "prebuild": "rimraf dist/",
-    "build": "tsc -p tsconfig.build.json && tsc -p tsconfig-cjs.build.json",
+    "build": "tsc -p tsconfig.build.json",
     "build:dev": "yarn prebuild && tsc --build --watch --preserveWatchOutput",
-    "dev:builder": "yarn prebuild && concurrently \"tsc -p tsconfig.build.json --watch\" \"tsc -p tsconfig-cjs.build.json --watch\""
+    "dev:builder": "yarn prebuild && tsc -p tsconfig.json --watch --preserveWatchOutput",
+    "check:types": "tsc -p tsconfig.json --noEmit --paths null"
   },
   "dependencies": {
     "@budibase/types": "0.0.0"
@@ -26,19 +26,5 @@
     "concurrently": "^7.6.0",
     "rimraf": "3.0.2",
     "typescript": "4.7.3"
-  },
-  "nx": {
-    "targets": {
-      "build": {
-        "dependsOn": [
-          {
-            "projects": [
-              "@budibase/types"
-            ],
-            "target": "build"
-          }
-        ]
-      }
-    }
   }
 }

packages/shared-core/src/index.ts

@@ -2,3 +2,4 @@ export * from "./constants"
 export * as dataFilters from "./filters"
 export * as helpers from "./helpers"
 export * as utils from "./utils"
+export * as sdk from "./sdk"

packages/shared-core/src/sdk/documents/applications.ts

@@ -0,0 +1,35 @@
+import { DocumentType, prefixed } from "@budibase/types"
+
+const APP_PREFIX = prefixed(DocumentType.APP)
+const APP_DEV_PREFIX = prefixed(DocumentType.APP_DEV)
+
+export function getDevAppID(appId: string) {
+  if (!appId) {
+    throw new Error("No app ID provided")
+  }
+  if (appId.startsWith(APP_DEV_PREFIX)) {
+    return appId
+  }
+  // split to take off the app_ element, then join it together incase any other app_ exist
+  const split = appId.split(APP_PREFIX)
+  split.shift()
+  const rest = split.join(APP_PREFIX)
+  return `${APP_DEV_PREFIX}${rest}`
+}
+
+/**
+ * Convert a development app ID to a deployed app ID.
+ */
+export function getProdAppID(appId: string) {
+  if (!appId) {
+    throw new Error("No app ID provided")
+  }
+  if (!appId.startsWith(APP_DEV_PREFIX)) {
+    return appId
+  }
+  // split to take off the app_dev element, then join it together incase any other app_ exist
+  const split = appId.split(APP_DEV_PREFIX)
+  split.shift()
+  const rest = split.join(APP_DEV_PREFIX)
+  return `${APP_PREFIX}${rest}`
+}

packages/shared-core/src/sdk/documents/index.ts

@@ -0,0 +1,2 @@
+export * as applications from "./applications"
+export * as users from "./users"

packages/shared-core/src/sdk/documents/users.ts

@@ -0,0 +1,62 @@
+import { ContextUser, User } from "@budibase/types"
+import { getProdAppID } from "./applications"
+
+// checks if a user is specifically a builder, given an app ID
+export function isBuilder(user: User | ContextUser, appId?: string): boolean {
+  if (!user) {
+    return false
+  }
+  if (user.builder?.global) {
+    return true
+  } else if (appId && user.builder?.apps?.includes(getProdAppID(appId))) {
+    return true
+  }
+  return false
+}
+
+export function isGlobalBuilder(user: User | ContextUser): boolean {
+  return (isBuilder(user) && !hasAppBuilderPermissions(user)) || isAdmin(user)
+}
+
+// alias for hasAdminPermission, currently do the same thing
+// in future whether someone has admin permissions and whether they are
+// an admin for a specific resource could be separated
+export function isAdmin(user: User | ContextUser): boolean {
+  if (!user) {
+    return false
+  }
+  return hasAdminPermissions(user)
+}
+
+export function isAdminOrBuilder(
+  user: User | ContextUser,
+  appId?: string
+): boolean {
+  return isBuilder(user, appId) || isAdmin(user)
+}
+
+// check if they are a builder within an app (not necessarily a global builder)
+export function hasAppBuilderPermissions(user?: User | ContextUser): boolean {
+  if (!user) {
+    return false
+  }
+  const appLength = user.builder?.apps?.length
+  const isGlobalBuilder = !!user.builder?.global
+  return !isGlobalBuilder && appLength != null && appLength > 0
+}
+
+// checks if a user is capable of building any app
+export function hasBuilderPermissions(user?: User | ContextUser): boolean {
+  if (!user) {
+    return false
+  }
+  return user.builder?.global || hasAppBuilderPermissions(user)
+}
+
+// checks if a user is capable of being an admin
+export function hasAdminPermissions(user?: User | ContextUser): boolean {
+  if (!user) {
+    return false
+  }
+  return !!user.admin?.global
+}

packages/shared-core/src/sdk/index.ts

@@ -0,0 +1 @@
+export * from "./documents"

packages/shared-core/tsconfig-base.build.json

@@ -1,25 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "es6",
-    "moduleResolution": "node",
-    "lib": ["es2020"],
-    "strict": true,
-    "noImplicitAny": true,
-    "esModuleInterop": true,
-    "resolveJsonModule": true,
-    "incremental": true,
-    "sourceMap": true,
-    "declaration": true,
-    "types": ["node"],
-    "outDir": "dist",
-    "skipLibCheck": true
-  },
-  "include": ["**/*.js", "**/*.ts"],
-  "exclude": [
-    "node_modules",
-    "dist",
-    "**/*.spec.ts",
-    "**/*.spec.js",
-    "__mocks__"
-  ]
-}

packages/shared-core/tsconfig-cjs.build.json

@@ -1,8 +0,0 @@
-{
-  "extends": "./tsconfig-base.build.json",
-  "compilerOptions": {
-    "module": "commonjs",
-    "outDir": "dist/cjs/src",
-    "target": "es2015"
-  }
-}