Merge pull request #14476 from Budibase/feat/row-action-view-security

Row action view security
2024-09-03 10:22:32 +02:00 · 2024-09-03 10:22:32 +02:00 · 8702ccd7fe
parent 1005b83fd5 1be8289677
commit 8702ccd7fe
12 changed files with 603 additions and 84 deletions
--- a/packages/backend-core/src/docIds/params.ts
+++ b/packages/backend-core/src/docIds/params.ts
@ -71,7 +71,7 @@ export function getQueryIndex(viewName: ViewName) {
 export const isTableId = (id: string) => {
  // this includes datasource plus tables
  return (
-    id &&
+    !!id &&
    (id.startsWith(`${DocumentType.TABLE}${SEPARATOR}`) ||
      id.startsWith(`${DocumentType.DATASOURCE_PLUS}${SEPARATOR}`))
  )
--- a/packages/server/src/api/controllers/rowAction/crud.ts
+++ b/packages/server/src/api/controllers/rowAction/crud.ts
@ -26,7 +26,7 @@ export async function find(ctx: Ctx<void, RowActionsResponse>) {
    return
  }

-  const { actions } = await sdk.rowActions.get(table._id!)
+  const { actions } = await sdk.rowActions.getAll(table._id!)
  const result: RowActionsResponse = {
    actions: Object.entries(actions).reduce<Record<string, RowActionResponse>>(
      (acc, [key, action]) => ({
@ -36,6 +36,7 @@ export async function find(ctx: Ctx<void, RowActionsResponse>) {
          tableId: table._id!,
          name: action.name,
          automationId: action.automationId,
+          allowedViews: flattenAllowedViews(action.permissions.views),
        },
      }),
      {}
@ -58,6 +59,7 @@ export async function create(
    id: createdAction.id,
    name: createdAction.name,
    automationId: createdAction.automationId,
+    allowedViews: undefined,
  }
  ctx.status = 201
 }
@ -77,6 +79,7 @@ export async function update(
    id: action.id,
    name: action.name,
    automationId: action.automationId,
+    allowedViews: undefined,
  }
 }

@ -87,3 +90,53 @@ export async function remove(ctx: Ctx<void, void>) {
  await sdk.rowActions.remove(table._id!, actionId)
  ctx.status = 204
 }
+
+export async function setViewPermission(ctx: Ctx<void, RowActionResponse>) {
+  const table = await getTable(ctx)
+  const { actionId, viewId } = ctx.params
+
+  const action = await sdk.rowActions.setViewPermission(
+    table._id!,
+    actionId,
+    viewId
+  )
+  ctx.body = {
+    tableId: table._id!,
+    id: action.id,
+    name: action.name,
+    automationId: action.automationId,
+    allowedViews: flattenAllowedViews(action.permissions.views),
+  }
+}
+
+export async function unsetViewPermission(ctx: Ctx<void, RowActionResponse>) {
+  const table = await getTable(ctx)
+  const { actionId, viewId } = ctx.params
+
+  const action = await sdk.rowActions.unsetViewPermission(
+    table._id!,
+    actionId,
+    viewId
+  )
+
+  ctx.body = {
+    tableId: table._id!,
+    id: action.id,
+    name: action.name,
+    automationId: action.automationId,
+    allowedViews: flattenAllowedViews(action.permissions.views),
+  }
+}
+
+function flattenAllowedViews(
+  permissions: Record<string, { runAllowed: boolean }>
+) {
+  const allowedPermissions = Object.entries(permissions || {})
+    .filter(([_, p]) => p.runAllowed)
+    .map(([viewId]) => viewId)
+  if (!allowedPermissions.length) {
+    return undefined
+  }
+
+  return allowedPermissions
+}
--- a/packages/server/src/api/routes/rowAction.ts
+++ b/packages/server/src/api/routes/rowAction.ts
@ -2,9 +2,10 @@ import Router from "@koa/router"
 import Joi from "joi"
 import { middleware, permissions } from "@budibase/backend-core"
 import * as rowActionController from "../controllers/rowAction"
-import { authorizedResource } from "../../middleware/authorized"
+import authorized from "../../middleware/authorized"
+import { triggerRowActionAuthorised } from "../../middleware/triggerRowActionAuthorised"

-const { PermissionLevel, PermissionType } = permissions
+const { BUILDER } = permissions

 function rowActionValidator() {
  return middleware.joiValidator.body(
@ -30,32 +31,42 @@ const router: Router = new Router()
 router
  .get(
    "/api/tables/:tableId/actions",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
    rowActionController.find
  )
  .post(
    "/api/tables/:tableId/actions",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
    rowActionValidator(),
    rowActionController.create
  )
  .put(
    "/api/tables/:tableId/actions/:actionId",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
    rowActionValidator(),
    rowActionController.update
  )
  .delete(
    "/api/tables/:tableId/actions/:actionId",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
    rowActionController.remove
  )
+  .post(
+    "/api/tables/:tableId/actions/:actionId/permissions/:viewId",
+    authorized(BUILDER),
+    rowActionController.setViewPermission
+  )
+  .delete(
+    "/api/tables/:tableId/actions/:actionId/permissions/:viewId",
+    authorized(BUILDER),
+    rowActionController.unsetViewPermission
+  )

  // Other endpoints
  .post(
-    "/api/tables/:tableId/actions/:actionId/trigger",
+    "/api/tables/:sourceId/actions/:actionId/trigger",
    rowTriggerValidator(),
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    triggerRowActionAuthorised("sourceId", "actionId"),
    rowActionController.run
  )

--- a/packages/server/src/api/routes/tests/rowAction.spec.ts
+++ b/packages/server/src/api/routes/tests/rowAction.spec.ts
@ -4,10 +4,15 @@ import tk from "timekeeper"
 import {
  CreateRowActionRequest,
  DocumentType,
+  PermissionLevel,
+  Row,
  RowActionResponse,
 } from "@budibase/types"
 import * as setup from "./utilities"
 import { generator } from "@budibase/backend-core/tests"
+import { Expectations } from "../../../tests/utilities/api/base"
+import { roles } from "@budibase/backend-core"
+import { automations } from "@budibase/pro"

 const expectAutomationId = () =>
  expect.stringMatching(`^${DocumentType.AUTOMATION}_.+`)
@ -43,11 +48,14 @@ describe("/rowsActions", () => {
      .map(name => ({ name }))
  }

-  function unauthorisedTests() {
+  function unauthorisedTests(
+    apiDelegate: (
+      expectations: Expectations,
+      testConfig?: { publicUser?: boolean }
+    ) => Promise<any>
+  ) {
    it("returns unauthorised (401) for unauthenticated requests", async () => {
-      await createRowAction(
-        tableId,
-        createRowActionRequest(),
+      await apiDelegate(
        {
          status: 401,
          body: {
@ -65,6 +73,35 @@ describe("/rowsActions", () => {
      await config.withUser(user, async () => {
        await createRowAction(generator.guid(), createRowActionRequest(), {
          status: 403,
+          body: {
+            message: "Not Authorized",
+          },
+        })
+      })
+    })
+
+    it("returns forbidden (403) for non-builder users even if they have table write permissions", async () => {
+      const user = await config.createUser({
+        builder: {},
+      })
+      const tableId = generator.guid()
+      for (const role of Object.values(roles.BUILTIN_ROLE_IDS)) {
+        await config.api.permission.add({
+          roleId: role,
+          resourceId: tableId,
+          level: PermissionLevel.EXECUTE,
+        })
+      }
+
+      // replicate changes before checking permissions
+      await config.publish()
+
+      await config.withUser(user, async () => {
+        await createRowAction(tableId, createRowActionRequest(), {
+          status: 403,
+          body: {
+            message: "Not Authorized",
+          },
        })
      })
    })
@ -77,7 +114,14 @@ describe("/rowsActions", () => {
  }

  describe("create", () => {
-    unauthorisedTests()
+    unauthorisedTests((expectations, testConfig) =>
+      createRowAction(
+        tableId,
+        createRowActionRequest(),
+        expectations,
+        testConfig
+      )
+    )

    it("creates new row actions for tables without existing actions", async () => {
      const rowAction = createRowActionRequest()
@ -106,7 +150,7 @@ describe("/rowsActions", () => {

    it("trims row action names", async () => {
      const name = "   action  name  "
-      const res = await createRowAction(tableId, { name }, { status: 201 })
+      const res = await createRowAction(tableId, { name })

      expect(res).toEqual(
        expect.objectContaining({
@ -174,9 +218,7 @@ describe("/rowsActions", () => {
        id: generator.guid(),
        valueToIgnore: generator.string(),
      }
-      const res = await createRowAction(tableId, dirtyRowAction, {
-        status: 201,
-      })
+      const res = await createRowAction(tableId, dirtyRowAction)

      expect(res).toEqual({
        name: rowAction.name,
@ -239,15 +281,17 @@ describe("/rowsActions", () => {
      const action2 = await createRowAction(tableId, createRowActionRequest())

      for (const automationId of [action1.automationId, action2.automationId]) {
-        expect(
-          await config.api.automation.get(automationId, { status: 200 })
-        ).toEqual(expect.objectContaining({ _id: automationId }))
+        expect(await config.api.automation.get(automationId)).toEqual(
+          expect.objectContaining({ _id: automationId })
+        )
      }
    })
  })

  describe("find", () => {
-    unauthorisedTests()
+    unauthorisedTests((expectations, testConfig) =>
+      config.api.rowAction.find(tableId, expectations, testConfig)
+    )

    it("returns only the actions for the requested table", async () => {
      const rowActions: RowActionResponse[] = []
@ -279,7 +323,15 @@ describe("/rowsActions", () => {
  })

  describe("update", () => {
-    unauthorisedTests()
+    unauthorisedTests((expectations, testConfig) =>
+      config.api.rowAction.update(
+        tableId,
+        generator.guid(),
+        createRowActionRequest(),
+        expectations,
+        testConfig
+      )
+    )

    it("can update existing actions", async () => {
      for (const rowAction of createRowActionRequests(3)) {
@ -320,13 +372,7 @@ describe("/rowsActions", () => {
    })

    it("trims row action names", async () => {
-      const rowAction = await createRowAction(
-        tableId,
-        createRowActionRequest(),
-        {
-          status: 201,
-        }
-      )
+      const rowAction = await createRowAction(tableId, createRowActionRequest())

      const res = await config.api.rowAction.update(tableId, rowAction.id, {
        name: "   action  name  ",
@ -398,7 +444,14 @@ describe("/rowsActions", () => {
  })

  describe("delete", () => {
-    unauthorisedTests()
+    unauthorisedTests((expectations, testConfig) =>
+      config.api.rowAction.delete(
+        tableId,
+        generator.guid(),
+        expectations,
+        testConfig
+      )
+    )

    it("can delete existing actions", async () => {
      const actions: RowActionResponse[] = []
@ -462,4 +515,232 @@ describe("/rowsActions", () => {
      }
    })
  })
+
+  describe("set/unsetViewPermission", () => {
+    describe.each([
+      ["setViewPermission", config.api.rowAction.setViewPermission],
+      ["unsetViewPermission", config.api.rowAction.unsetViewPermission],
+    ])("unauthorisedTests for %s", (__, delegateTest) => {
+      unauthorisedTests((expectations, testConfig) =>
+        delegateTest(
+          tableId,
+          generator.guid(),
+          generator.guid(),
+          expectations,
+          testConfig
+        )
+      )
+    })
+
+    let tableIdForDescribe: string
+    let actionId1: string, actionId2: string
+    let viewId1: string, viewId2: string
+    beforeAll(async () => {
+      tableIdForDescribe = tableId
+      for (const rowAction of createRowActionRequests(3)) {
+        await createRowAction(tableId, rowAction)
+      }
+      const persisted = await config.api.rowAction.find(tableId)
+
+      const actions = _.sampleSize(Object.keys(persisted.actions), 2)
+      actionId1 = actions[0]
+      actionId2 = actions[1]
+
+      viewId1 = (
+        await config.api.viewV2.create(
+          setup.structures.viewV2.createRequest(tableId)
+        )
+      ).id
+      viewId2 = (
+        await config.api.viewV2.create(
+          setup.structures.viewV2.createRequest(tableId)
+        )
+      ).id
+    })
+
+    beforeEach(() => {
+      // Hack to reuse tables for these given tests
+      tableId = tableIdForDescribe
+    })
+
+    it("can set permission views", async () => {
+      await config.api.rowAction.setViewPermission(tableId, viewId1, actionId1)
+      const action1Result = await config.api.rowAction.setViewPermission(
+        tableId,
+        viewId2,
+        actionId1
+      )
+      const action2Result = await config.api.rowAction.setViewPermission(
+        tableId,
+        viewId1,
+        actionId2
+      )
+
+      const expectedAction1 = expect.objectContaining({
+        allowedViews: [viewId1, viewId2],
+      })
+      const expectedAction2 = expect.objectContaining({
+        allowedViews: [viewId1],
+      })
+
+      const expectedActions = expect.objectContaining({
+        [actionId1]: expectedAction1,
+        [actionId2]: expectedAction2,
+      })
+      expect(action1Result).toEqual(expectedAction1)
+      expect(action2Result).toEqual(expectedAction2)
+      expect((await config.api.rowAction.find(tableId)).actions).toEqual(
+        expectedActions
+      )
+    })
+
+    it("can unset permission views", async () => {
+      const actionResult = await config.api.rowAction.unsetViewPermission(
+        tableId,
+        viewId1,
+        actionId1
+      )
+
+      const expectedAction = expect.objectContaining({
+        allowedViews: [viewId2],
+      })
+      expect(actionResult).toEqual(expectedAction)
+      expect(
+        (await config.api.rowAction.find(tableId)).actions[actionId1]
+      ).toEqual(expectedAction)
+    })
+
+    it.each([
+      ["setViewPermission", config.api.rowAction.setViewPermission],
+      ["unsetViewPermission", config.api.rowAction.unsetViewPermission],
+    ])(
+      "cannot update permission views for unexisting views (%s)",
+      async (__, delegateTest) => {
+        const viewId = generator.guid()
+
+        await delegateTest(tableId, viewId, actionId1, {
+          status: 400,
+          body: {
+            message: `View '${viewId}' not found in '${tableId}'`,
+          },
+        })
+      }
+    )
+
+    it.each([
+      ["setViewPermission", config.api.rowAction.setViewPermission],
+      ["unsetViewPermission", config.api.rowAction.unsetViewPermission],
+    ])(
+      "cannot update permission views crossing table views (%s)",
+      async (__, delegateTest) => {
+        const anotherTable = await config.api.table.save(
+          setup.structures.basicTable()
+        )
+        const { id: viewId } = await config.api.viewV2.create(
+          setup.structures.viewV2.createRequest(anotherTable._id!)
+        )
+
+        await delegateTest(tableId, viewId, actionId1, {
+          status: 400,
+          body: {
+            message: `View '${viewId}' not found in '${tableId}'`,
+          },
+        })
+      }
+    )
+  })
+
+  describe("trigger", () => {
+    let row: Row
+    let rowAction: RowActionResponse
+
+    beforeEach(async () => {
+      row = await config.api.row.save(tableId, {})
+      rowAction = await createRowAction(tableId, createRowActionRequest())
+
+      await config.publish()
+      tk.travel(Date.now() + 100)
+    })
+
+    async function getAutomationLogs() {
+      const { data: automationLogs } = await config.doInContext(
+        config.getProdAppId(),
+        async () =>
+          automations.logs.logSearch({ startDate: new Date().toISOString() })
+      )
+      return automationLogs
+    }
+
+    it("can trigger an automation given valid data", async () => {
+      await config.api.rowAction.trigger(tableId, rowAction.id, {
+        rowId: row._id!,
+      })
+
+      const automationLogs = await getAutomationLogs()
+      expect(automationLogs).toEqual([
+        expect.objectContaining({
+          automationId: rowAction.automationId,
+          trigger: expect.objectContaining({
+            outputs: {
+              fields: {},
+              row: await config.api.row.get(tableId, row._id!),
+              table: await config.api.table.get(tableId),
+            },
+          }),
+        }),
+      ])
+    })
+
+    it("rejects triggering from a non-allowed view", async () => {
+      const viewId = (
+        await config.api.viewV2.create(
+          setup.structures.viewV2.createRequest(tableId)
+        )
+      ).id
+
+      await config.publish()
+      await config.api.rowAction.trigger(
+        viewId,
+        rowAction.id,
+        {
+          rowId: row._id!,
+        },
+        {
+          status: 403,
+          body: {
+            message: `Row action '${rowAction.id}' is not enabled for view '${viewId}'`,
+          },
+        }
+      )
+
+      const automationLogs = await getAutomationLogs()
+      expect(automationLogs).toEqual([])
+    })
+
+    it("triggers from an allowed view", async () => {
+      const viewId = (
+        await config.api.viewV2.create(
+          setup.structures.viewV2.createRequest(tableId)
+        )
+      ).id
+
+      await config.api.rowAction.setViewPermission(
+        tableId,
+        viewId,
+        rowAction.id
+      )
+
+      await config.publish()
+      await config.api.rowAction.trigger(viewId, rowAction.id, {
+        rowId: row._id!,
+      })
+
+      const automationLogs = await getAutomationLogs()
+      expect(automationLogs).toEqual([
+        expect.objectContaining({
+          automationId: rowAction.automationId,
+        }),
+      ])
+    })
+  })
 })
--- a/packages/server/src/middleware/triggerRowActionAuthorised.ts
+++ b/packages/server/src/middleware/triggerRowActionAuthorised.ts
@ -0,0 +1,45 @@
+import { Next } from "koa"
+import { Ctx } from "@budibase/types"
+import { paramSubResource } from "./resourceId"
+import { docIds } from "@budibase/backend-core"
+import * as utils from "../db/utils"
+import sdk from "../sdk"
+
+export function triggerRowActionAuthorised(
+  sourcePath: string,
+  actionPath: string
+) {
+  return async (ctx: Ctx, next: Next) => {
+    // Reusing the existing middleware to extract the value
+    paramSubResource(sourcePath, actionPath)(ctx, () => {})
+    const { resourceId: sourceId, subResourceId: rowActionId } = ctx
+
+    const isTableId = docIds.isTableId(sourceId)
+    const isViewId = utils.isViewID(sourceId)
+    if (!isTableId && !isViewId) {
+      ctx.throw(400, `'${sourceId}' is not a valid source id`)
+    }
+
+    const tableId = isTableId
+      ? sourceId
+      : utils.extractViewInfoFromID(sourceId).tableId
+
+    const rowAction = await sdk.rowActions.get(tableId, rowActionId)
+
+    if (isTableId && !rowAction.permissions.table.runAllowed) {
+      ctx.throw(
+        403,
+        `Row action '${rowActionId}' is not enabled for table '${sourceId}'`
+      )
+    } else if (isViewId && !rowAction.permissions.views[sourceId]?.runAllowed) {
+      ctx.throw(
+        403,
+        `Row action '${rowActionId}' is not enabled for view '${sourceId}'`
+      )
+    }
+
+    // Enrich tableId
+    ctx.params.tableId = tableId
+    return next()
+  }
+}
--- a/packages/server/src/sdk/app/automations/utils.ts
+++ b/packages/server/src/sdk/app/automations/utils.ts
@ -29,7 +29,7 @@ export async function getBuilderData(
  const rowActionNameCache: Record<string, TableRowActions> = {}
  async function getRowActionName(tableId: string, rowActionId: string) {
    if (!rowActionNameCache[tableId]) {
-      rowActionNameCache[tableId] = await sdk.rowActions.get(tableId)
+      rowActionNameCache[tableId] = await sdk.rowActions.getAll(tableId)
    }

    return rowActionNameCache[tableId].actions[rowActionId]?.name
--- a/packages/server/src/sdk/app/rowActions.ts
+++ b/packages/server/src/sdk/app/rowActions.ts
@ -1,12 +1,11 @@
 import { context, HTTPError, utils } from "@budibase/backend-core"
-
 import {
  AutomationTriggerStepId,
  SEPARATOR,
  TableRowActions,
  VirtualDocumentType,
 } from "@budibase/types"
-import { generateRowActionsID } from "../../db/utils"
+import { generateRowActionsID, isViewID } from "../../db/utils"
 import automations from "./automations"
 import { definitions as TRIGGER_DEFINITIONS } from "../../automations/triggerInfo"
 import * as triggers from "../../automations/triggers"
@ -75,6 +74,10 @@ export async function create(tableId: string, rowAction: { name: string }) {
  doc.actions[newRowActionId] = {
    name: action.name,
    automationId: automation._id!,
+    permissions: {
+      table: { runAllowed: true },
+      views: {},
+    },
  }
  await db.put(doc)

@ -84,7 +87,19 @@ export async function create(tableId: string, rowAction: { name: string }) {
  }
 }

-export async function get(tableId: string) {
+export async function get(tableId: string, rowActionId: string) {
+  const actionsDoc = await getAll(tableId)
+  const rowAction = actionsDoc?.actions[rowActionId]
+  if (!rowAction) {
+    throw new HTTPError(
+      `Row action '${rowActionId}' not found in '${tableId}'`,
+      400
+    )
+  }
+  return rowAction
+}
+
+export async function getAll(tableId: string) {
  const db = context.getAppDB()
  const rowActionsId = generateRowActionsID(tableId)
  return await db.get<TableRowActions>(rowActionsId)
@ -97,41 +112,15 @@ export async function docExists(tableId: string) {
  return result
 }

-export async function update(
+async function updateDoc(
  tableId: string,
  rowActionId: string,
-  rowAction: { name: string }
+  transformer: (
+    tableRowActions: TableRowActions
+  ) => TableRowActions | Promise<TableRowActions>
 ) {
-  const action = { name: rowAction.name.trim() }
-  const actionsDoc = await get(tableId)
-
-  if (!actionsDoc.actions[rowActionId]) {
-    throw new HTTPError(
-      `Row action '${rowActionId}' not found in '${tableId}'`,
-      400
-    )
-  }
-
-  ensureUniqueAndThrow(actionsDoc, action.name, rowActionId)
-
-  actionsDoc.actions[rowActionId] = {
-    automationId: actionsDoc.actions[rowActionId].automationId,
-    ...action,
-  }
-
-  const db = context.getAppDB()
-  await db.put(actionsDoc)
-
-  return {
-    id: rowActionId,
-    ...actionsDoc.actions[rowActionId],
-  }
-}
-
-export async function remove(tableId: string, rowActionId: string) {
-  const actionsDoc = await get(tableId)
-
-  const rowAction = actionsDoc.actions[rowActionId]
+  const actionsDoc = await getAll(tableId)
+  const rowAction = actionsDoc?.actions[rowActionId]
  if (!rowAction) {
    throw new HTTPError(
      `Row action '${rowActionId}' not found in '${tableId}'`,
@ -139,13 +128,76 @@ export async function remove(tableId: string, rowActionId: string) {
    )
  }

-  const { automationId } = rowAction
-  const automation = await automations.get(automationId)
-  await automations.remove(automation._id, automation._rev)
-  delete actionsDoc.actions[rowActionId]
+  const updated = await transformer(actionsDoc)

  const db = context.getAppDB()
-  await db.put(actionsDoc)
+  await db.put(updated)
+
+  return {
+    id: rowActionId,
+    ...updated.actions[rowActionId],
+  }
+}
+
+export async function update(
+  tableId: string,
+  rowActionId: string,
+  rowActionData: { name: string }
+) {
+  const newName = rowActionData.name.trim()
+
+  return await updateDoc(tableId, rowActionId, actionsDoc => {
+    ensureUniqueAndThrow(actionsDoc, newName, rowActionId)
+    actionsDoc.actions[rowActionId].name = newName
+    return actionsDoc
+  })
+}
+
+async function guardView(tableId: string, viewId: string) {
+  let view
+  if (isViewID(viewId)) {
+    view = await sdk.views.get(viewId)
+  }
+  if (!view || view.tableId !== tableId) {
+    throw new HTTPError(`View '${viewId}' not found in '${tableId}'`, 400)
+  }
+}
+
+export async function setViewPermission(
+  tableId: string,
+  rowActionId: string,
+  viewId: string
+) {
+  await guardView(tableId, viewId)
+  return await updateDoc(tableId, rowActionId, async actionsDoc => {
+    actionsDoc.actions[rowActionId].permissions.views[viewId] = {
+      runAllowed: true,
+    }
+    return actionsDoc
+  })
+}
+
+export async function unsetViewPermission(
+  tableId: string,
+  rowActionId: string,
+  viewId: string
+) {
+  await guardView(tableId, viewId)
+  return await updateDoc(tableId, rowActionId, async actionsDoc => {
+    delete actionsDoc.actions[rowActionId].permissions.views[viewId]
+    return actionsDoc
+  })
+}
+
+export async function remove(tableId: string, rowActionId: string) {
+  return await updateDoc(tableId, rowActionId, async actionsDoc => {
+    const { automationId } = actionsDoc.actions[rowActionId]
+    const automation = await automations.get(automationId)
+    await automations.remove(automation._id, automation._rev)
+
+    delete actionsDoc.actions[rowActionId]
+    return actionsDoc
+  })
 }

 export async function run(tableId: any, rowActionId: any, rowId: string) {
@ -154,7 +206,7 @@ export async function run(tableId: any, rowActionId: any, rowId: string) {
    throw new HTTPError("Table not found", 404)
  }

-  const { actions } = await get(tableId)
+  const { actions } = await getAll(tableId)

  const rowAction = actions[rowActionId]
  if (!rowAction) {
--- a/packages/server/src/tests/utilities/api/base.ts
+++ b/packages/server/src/tests/utilities/api/base.ts
@ -40,6 +40,7 @@ export interface RequestOpts {
  >
  expectations?: Expectations
  publicUser?: boolean
+  useProdApp?: boolean
 }

 export abstract class TestAPI {
@ -107,8 +108,12 @@ export abstract class TestAPI {
    }

    const headersFn = publicUser
-      ? this.config.publicHeaders.bind(this.config)
-      : this.config.defaultHeaders.bind(this.config)
+      ? (_extras = {}) =>
+          this.config.publicHeaders.bind(this.config)({
+            prodApp: opts?.useProdApp,
+          })
+      : (extras = {}) =>
+          this.config.defaultHeaders.bind(this.config)(extras, opts?.useProdApp)

    const app = getServer()
    let req = request(app)[method](url)
--- a/packages/server/src/tests/utilities/api/rowAction.ts
+++ b/packages/server/src/tests/utilities/api/rowAction.ts
@ -2,6 +2,7 @@ import {
  CreateRowActionRequest,
  RowActionResponse,
  RowActionsResponse,
+  RowActionTriggerRequest,
 } from "@budibase/types"
 import { Expectations, TestAPI } from "./base"

@ -17,8 +18,8 @@ export class RowActionAPI extends TestAPI {
      {
        body: rowAction,
        expectations: {
+          status: 201,
          ...expectations,
-          status: expectations?.status || 201,
        },
        ...config,
      }
@ -70,4 +71,59 @@ export class RowActionAPI extends TestAPI {
      }
    )
  }
+
+  setViewPermission = async (
+    tableId: string,
+    viewId: string,
+    rowActionId: string,
+    expectations?: Expectations,
+    config?: { publicUser?: boolean }
+  ) => {
+    return await this._post<RowActionResponse>(
+      `/api/tables/${tableId}/actions/${rowActionId}/permissions/${viewId}`,
+      {
+        expectations: {
+          status: 200,
+          ...expectations,
+        },
+        ...config,
+      }
+    )
+  }
+
+  unsetViewPermission = async (
+    tableId: string,
+    viewId: string,
+    rowActionId: string,
+    expectations?: Expectations,
+    config?: { publicUser?: boolean }
+  ) => {
+    return await this._delete<RowActionResponse>(
+      `/api/tables/${tableId}/actions/${rowActionId}/permissions/${viewId}`,
+      {
+        expectations: {
+          status: 200,
+          ...expectations,
+        },
+        ...config,
+      }
+    )
+  }
+
+  trigger = async (
+    tableId: string,
+    rowActionId: string,
+    body: RowActionTriggerRequest,
+    expectations?: Expectations,
+    config?: { publicUser?: boolean; useProdApp?: boolean }
+  ) => {
+    return await this._post<RowActionResponse>(
+      `/api/tables/${tableId}/actions/${rowActionId}/trigger`,
+      {
+        body,
+        expectations,
+        ...{ ...config, useProdApp: config?.useProdApp ?? true },
+      }
+    )
+  }
 }
--- a/packages/server/src/tests/utilities/structures.ts
+++ b/packages/server/src/tests/utilities/structures.ts
@ -30,6 +30,7 @@ import {
  BBReferenceFieldSubType,
  JsonFieldSubType,
  AutoFieldSubType,
+  CreateViewRequest,
 } from "@budibase/types"
 import { LoopInput } from "../../definitions/automations"
 import { merge } from "lodash"
@ -145,6 +146,17 @@ export function view(tableId: string) {
  }
 }

+function viewV2CreateRequest(tableId: string): CreateViewRequest {
+  return {
+    tableId,
+    name: generator.guid(),
+  }
+}
+
+export const viewV2 = {
+  createRequest: viewV2CreateRequest,
+}
+
 export function automationStep(
  actionDefinition = BUILTIN_ACTION_DEFINITIONS.CREATE_ROW
 ): AutomationStep {
--- a/packages/types/src/api/web/app/rowAction.ts
+++ b/packages/types/src/api/web/app/rowAction.ts
@ -8,6 +8,7 @@ export interface RowActionResponse extends RowActionData {
  id: string
  tableId: string
  automationId: string
+  allowedViews: string[] | undefined
 }

 export interface RowActionsResponse {
--- a/packages/types/src/documents/app/rowAction.ts
+++ b/packages/types/src/documents/app/rowAction.ts
@ -2,11 +2,14 @@ import { Document } from "../document"

 export interface TableRowActions extends Document {
  _id: string
-  actions: Record<
-    string,
-    {
-      name: string
-      automationId: string
-    }
-  >
+  actions: Record<string, RowActionData>
+}
+
+export interface RowActionData {
+  name: string
+  automationId: string
+  permissions: {
+    table: { runAllowed: boolean }
+    views: Record<string, { runAllowed: boolean }>
+  }
 }