MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14476 from Budibase/feat/row-action-view-security 

Row action view security
This commit is contained in:
Adria Navarro 2024-09-03 10:22:32 +02:00 committed by GitHub
parent 1005b83fd5 1be8289677
commit 8702ccd7fe
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 603 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/backend-core/src/docIds/params.ts
View File

@ -71,7 +71,7 @@ export function getQueryIndex(viewName: ViewName) {
export const isTableId = (id: string) => { export const isTableId = (id: string) => {
// this includes datasource plus tables // this includes datasource plus tables
return ( return (
id && !!id &&
(id.startsWith(`${DocumentType.TABLE}${SEPARATOR}`) || (id.startsWith(`${DocumentType.TABLE}${SEPARATOR}`) ||
id.startsWith(`${DocumentType.DATASOURCE_PLUS}${SEPARATOR}`)) id.startsWith(`${DocumentType.DATASOURCE_PLUS}${SEPARATOR}`))
) )

55
packages/server/src/api/controllers/rowAction/crud.ts
View File

@ -26,7 +26,7 @@ export async function find(ctx: Ctx<void, RowActionsResponse>) {
return return
} }
const { actions } = await sdk.rowActions.get(table._id!) const { actions } = await sdk.rowActions.getAll(table._id!)
const result: RowActionsResponse = { const result: RowActionsResponse = {
actions: Object.entries(actions).reduce<Record<string, RowActionResponse>>( actions: Object.entries(actions).reduce<Record<string, RowActionResponse>>(
(acc, [key, action]) => ({ (acc, [key, action]) => ({
@ -36,6 +36,7 @@ export async function find(ctx: Ctx<void, RowActionsResponse>) {
tableId: table._id!, tableId: table._id!,
name: action.name, name: action.name,
automationId: action.automationId, automationId: action.automationId,
allowedViews: flattenAllowedViews(action.permissions.views),
}, },
}), }),
{} {}
@ -58,6 +59,7 @@ export async function create(
id: createdAction.id, id: createdAction.id,
name: createdAction.name, name: createdAction.name,
automationId: createdAction.automationId, automationId: createdAction.automationId,
allowedViews: undefined,
} }
ctx.status = 201 ctx.status = 201
} }
@ -77,6 +79,7 @@ export async function update(
id: action.id, id: action.id,
name: action.name, name: action.name,
automationId: action.automationId, automationId: action.automationId,
allowedViews: undefined,
} }
} }
@ -87,3 +90,53 @@ export async function remove(ctx: Ctx<void, void>) {
await sdk.rowActions.remove(table._id!, actionId) await sdk.rowActions.remove(table._id!, actionId)
ctx.status = 204 ctx.status = 204
} }
export async function setViewPermission(ctx: Ctx<void, RowActionResponse>) {
const table = await getTable(ctx)
const { actionId, viewId } = ctx.params
const action = await sdk.rowActions.setViewPermission(
table._id!,
actionId,
viewId
)
ctx.body = {
tableId: table._id!,
id: action.id,
name: action.name,
automationId: action.automationId,
allowedViews: flattenAllowedViews(action.permissions.views),
}
}
export async function unsetViewPermission(ctx: Ctx<void, RowActionResponse>) {
const table = await getTable(ctx)
const { actionId, viewId } = ctx.params
const action = await sdk.rowActions.unsetViewPermission(
table._id!,
actionId,
viewId
)
ctx.body = {
tableId: table._id!,
id: action.id,
name: action.name,
automationId: action.automationId,
allowedViews: flattenAllowedViews(action.permissions.views),
}
}
function flattenAllowedViews(
permissions: Record<string, { runAllowed: boolean }>
) {
const allowedPermissions = Object.entries(permissions || {})
.filter(([_, p]) => p.runAllowed)
.map(([viewId]) => viewId)
if (!allowedPermissions.length) {
return undefined
}
return allowedPermissions
}

27
packages/server/src/api/routes/rowAction.ts
View File

@ -2,9 +2,10 @@ import Router from "@koa/router"
import Joi from "joi" import Joi from "joi"
import { middleware, permissions } from "@budibase/backend-core" import { middleware, permissions } from "@budibase/backend-core"
import * as rowActionController from "../controllers/rowAction" import * as rowActionController from "../controllers/rowAction"
import { authorizedResource } from "../../middleware/authorized" import authorized from "../../middleware/authorized"
import { triggerRowActionAuthorised } from "../../middleware/triggerRowActionAuthorised"
const { PermissionLevel, PermissionType } = permissions const { BUILDER } = permissions
function rowActionValidator() { function rowActionValidator() {
return middleware.joiValidator.body( return middleware.joiValidator.body(
@ -30,32 +31,42 @@ const router: Router = new Router()
router router
.get( .get(
"/api/tables/:tableId/actions", "/api/tables/:tableId/actions",
authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), authorized(BUILDER),
rowActionController.find rowActionController.find
) )
.post( .post(
"/api/tables/:tableId/actions", "/api/tables/:tableId/actions",
authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), authorized(BUILDER),
rowActionValidator(), rowActionValidator(),
rowActionController.create rowActionController.create
) )
.put( .put(
"/api/tables/:tableId/actions/:actionId", "/api/tables/:tableId/actions/:actionId",
authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), authorized(BUILDER),
rowActionValidator(), rowActionValidator(),
rowActionController.update rowActionController.update
) )
.delete( .delete(
"/api/tables/:tableId/actions/:actionId", "/api/tables/:tableId/actions/:actionId",
authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), authorized(BUILDER),
rowActionController.remove rowActionController.remove
) )
.post(
"/api/tables/:tableId/actions/:actionId/permissions/:viewId",
authorized(BUILDER),
rowActionController.setViewPermission
)
.delete(
"/api/tables/:tableId/actions/:actionId/permissions/:viewId",
authorized(BUILDER),
rowActionController.unsetViewPermission
)
// Other endpoints // Other endpoints
.post( .post(
"/api/tables/:tableId/actions/:actionId/trigger", "/api/tables/:sourceId/actions/:actionId/trigger",
rowTriggerValidator(), rowTriggerValidator(),
authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), triggerRowActionAuthorised("sourceId", "actionId"),
rowActionController.run rowActionController.run
) )

325
packages/server/src/api/routes/tests/rowAction.spec.ts
View File

@ -4,10 +4,15 @@ import tk from "timekeeper"
import { import {
CreateRowActionRequest, CreateRowActionRequest,
DocumentType, DocumentType,
PermissionLevel,
Row,
RowActionResponse, RowActionResponse,
} from "@budibase/types" } from "@budibase/types"
import * as setup from "./utilities" import * as setup from "./utilities"
import { generator } from "@budibase/backend-core/tests" import { generator } from "@budibase/backend-core/tests"
import { Expectations } from "../../../tests/utilities/api/base"
import { roles } from "@budibase/backend-core"
import { automations } from "@budibase/pro"
const expectAutomationId = () => const expectAutomationId = () =>
expect.stringMatching(`^${DocumentType.AUTOMATION}_.+`) expect.stringMatching(`^${DocumentType.AUTOMATION}_.+`)
@ -43,11 +48,14 @@ describe("/rowsActions", () => {
.map(name => ({ name })) .map(name => ({ name }))
} }
function unauthorisedTests() { function unauthorisedTests(
apiDelegate: (
expectations: Expectations,
testConfig?: { publicUser?: boolean }
) => Promise<any>
) {
it("returns unauthorised (401) for unauthenticated requests", async () => { it("returns unauthorised (401) for unauthenticated requests", async () => {
await createRowAction( await apiDelegate(
tableId,
createRowActionRequest(),
{ {
status: 401, status: 401,
body: { body: {
@ -65,6 +73,35 @@ describe("/rowsActions", () => {
await config.withUser(user, async () => { await config.withUser(user, async () => {
await createRowAction(generator.guid(), createRowActionRequest(), { await createRowAction(generator.guid(), createRowActionRequest(), {
status: 403, status: 403,
body: {
message: "Not Authorized",
},
})
})
})
it("returns forbidden (403) for non-builder users even if they have table write permissions", async () => {
const user = await config.createUser({
builder: {},
})
const tableId = generator.guid()
for (const role of Object.values(roles.BUILTIN_ROLE_IDS)) {
await config.api.permission.add({
roleId: role,
resourceId: tableId,
level: PermissionLevel.EXECUTE,
})
}
// replicate changes before checking permissions
await config.publish()
await config.withUser(user, async () => {
await createRowAction(tableId, createRowActionRequest(), {
status: 403,
body: {
message: "Not Authorized",
},
}) })
}) })
}) })
@ -77,7 +114,14 @@ describe("/rowsActions", () => {
} }
describe("create", () => { describe("create", () => {
unauthorisedTests() unauthorisedTests((expectations, testConfig) =>
createRowAction(
tableId,
createRowActionRequest(),
expectations,
testConfig
)
)
it("creates new row actions for tables without existing actions", async () => { it("creates new row actions for tables without existing actions", async () => {
const rowAction = createRowActionRequest() const rowAction = createRowActionRequest()
@ -106,7 +150,7 @@ describe("/rowsActions", () => {
it("trims row action names", async () => { it("trims row action names", async () => {
const name = " action name " const name = " action name "
const res = await createRowAction(tableId, { name }, { status: 201 }) const res = await createRowAction(tableId, { name })
expect(res).toEqual( expect(res).toEqual(
expect.objectContaining({ expect.objectContaining({
@ -174,9 +218,7 @@ describe("/rowsActions", () => {
id: generator.guid(), id: generator.guid(),
valueToIgnore: generator.string(), valueToIgnore: generator.string(),
} }
const res = await createRowAction(tableId, dirtyRowAction, { const res = await createRowAction(tableId, dirtyRowAction)
status: 201,
})
expect(res).toEqual({ expect(res).toEqual({
name: rowAction.name, name: rowAction.name,
@ -239,15 +281,17 @@ describe("/rowsActions", () => {
const action2 = await createRowAction(tableId, createRowActionRequest()) const action2 = await createRowAction(tableId, createRowActionRequest())
for (const automationId of [action1.automationId, action2.automationId]) { for (const automationId of [action1.automationId, action2.automationId]) {
expect( expect(await config.api.automation.get(automationId)).toEqual(
await config.api.automation.get(automationId, { status: 200 }) expect.objectContaining({ _id: automationId })
).toEqual(expect.objectContaining({ _id: automationId })) )
} }
}) })
}) })
describe("find", () => { describe("find", () => {
unauthorisedTests() unauthorisedTests((expectations, testConfig) =>
config.api.rowAction.find(tableId, expectations, testConfig)
)
it("returns only the actions for the requested table", async () => { it("returns only the actions for the requested table", async () => {
const rowActions: RowActionResponse[] = [] const rowActions: RowActionResponse[] = []
@ -279,7 +323,15 @@ describe("/rowsActions", () => {
}) })
describe("update", () => { describe("update", () => {
unauthorisedTests() unauthorisedTests((expectations, testConfig) =>
config.api.rowAction.update(
tableId,
generator.guid(),
createRowActionRequest(),
expectations,
testConfig
)
)
it("can update existing actions", async () => { it("can update existing actions", async () => {
for (const rowAction of createRowActionRequests(3)) { for (const rowAction of createRowActionRequests(3)) {
@ -320,13 +372,7 @@ describe("/rowsActions", () => {
}) })
it("trims row action names", async () => { it("trims row action names", async () => {
const rowAction = await createRowAction( const rowAction = await createRowAction(tableId, createRowActionRequest())
tableId,
createRowActionRequest(),
{
status: 201,
}
)
const res = await config.api.rowAction.update(tableId, rowAction.id, { const res = await config.api.rowAction.update(tableId, rowAction.id, {
name: " action name ", name: " action name ",
@ -398,7 +444,14 @@ describe("/rowsActions", () => {
}) })
describe("delete", () => { describe("delete", () => {
unauthorisedTests() unauthorisedTests((expectations, testConfig) =>
config.api.rowAction.delete(
tableId,
generator.guid(),
expectations,
testConfig
)
)
it("can delete existing actions", async () => { it("can delete existing actions", async () => {
const actions: RowActionResponse[] = [] const actions: RowActionResponse[] = []
@ -462,4 +515,232 @@ describe("/rowsActions", () => {
} }
}) })
}) })
describe("set/unsetViewPermission", () => {
describe.each([
["setViewPermission", config.api.rowAction.setViewPermission],
["unsetViewPermission", config.api.rowAction.unsetViewPermission],
])("unauthorisedTests for %s", (__, delegateTest) => {
unauthorisedTests((expectations, testConfig) =>
delegateTest(
tableId,
generator.guid(),
generator.guid(),
expectations,
testConfig
)
)
})
let tableIdForDescribe: string
let actionId1: string, actionId2: string
let viewId1: string, viewId2: string
beforeAll(async () => {
tableIdForDescribe = tableId
for (const rowAction of createRowActionRequests(3)) {
await createRowAction(tableId, rowAction)
}
const persisted = await config.api.rowAction.find(tableId)
const actions = _.sampleSize(Object.keys(persisted.actions), 2)
actionId1 = actions[0]
actionId2 = actions[1]
viewId1 = (
await config.api.viewV2.create(
setup.structures.viewV2.createRequest(tableId)
)
).id
viewId2 = (
await config.api.viewV2.create(
setup.structures.viewV2.createRequest(tableId)
)
).id
})
beforeEach(() => {
// Hack to reuse tables for these given tests
tableId = tableIdForDescribe
})
it("can set permission views", async () => {
await config.api.rowAction.setViewPermission(tableId, viewId1, actionId1)
const action1Result = await config.api.rowAction.setViewPermission(
tableId,
viewId2,
actionId1
)
const action2Result = await config.api.rowAction.setViewPermission(
tableId,
viewId1,
actionId2
)
const expectedAction1 = expect.objectContaining({
allowedViews: [viewId1, viewId2],
})
const expectedAction2 = expect.objectContaining({
allowedViews: [viewId1],
})
const expectedActions = expect.objectContaining({
[actionId1]: expectedAction1,
[actionId2]: expectedAction2,
})
expect(action1Result).toEqual(expectedAction1)
expect(action2Result).toEqual(expectedAction2)
expect((await config.api.rowAction.find(tableId)).actions).toEqual(
expectedActions
)
})
it("can unset permission views", async () => {
const actionResult = await config.api.rowAction.unsetViewPermission(
tableId,
viewId1,
actionId1
)
const expectedAction = expect.objectContaining({
allowedViews: [viewId2],
})
expect(actionResult).toEqual(expectedAction)
expect(
(await config.api.rowAction.find(tableId)).actions[actionId1]
).toEqual(expectedAction)
})
it.each([
["setViewPermission", config.api.rowAction.setViewPermission],
["unsetViewPermission", config.api.rowAction.unsetViewPermission],
])(
"cannot update permission views for unexisting views (%s)",
async (__, delegateTest) => {
const viewId = generator.guid()
await delegateTest(tableId, viewId, actionId1, {
status: 400,
body: {
message: `View '${viewId}' not found in '${tableId}'`,
},
})
}
)
it.each([
["setViewPermission", config.api.rowAction.setViewPermission],
["unsetViewPermission", config.api.rowAction.unsetViewPermission],
])(
"cannot update permission views crossing table views (%s)",
async (__, delegateTest) => {
const anotherTable = await config.api.table.save(
setup.structures.basicTable()
)
const { id: viewId } = await config.api.viewV2.create(
setup.structures.viewV2.createRequest(anotherTable._id!)
)
await delegateTest(tableId, viewId, actionId1, {
status: 400,
body: {
message: `View '${viewId}' not found in '${tableId}'`,
},
})
}
)
})
describe("trigger", () => {
let row: Row
let rowAction: RowActionResponse
beforeEach(async () => {
row = await config.api.row.save(tableId, {})
rowAction = await createRowAction(tableId, createRowActionRequest())
await config.publish()
tk.travel(Date.now() + 100)
})
async function getAutomationLogs() {
const { data: automationLogs } = await config.doInContext(
config.getProdAppId(),
async () =>
automations.logs.logSearch({ startDate: new Date().toISOString() })
)
return automationLogs
}
it("can trigger an automation given valid data", async () => {
await config.api.rowAction.trigger(tableId, rowAction.id, {
rowId: row._id!,
})
const automationLogs = await getAutomationLogs()
expect(automationLogs).toEqual([
expect.objectContaining({
automationId: rowAction.automationId,
trigger: expect.objectContaining({
outputs: {
fields: {},
row: await config.api.row.get(tableId, row._id!),
table: await config.api.table.get(tableId),
},
}),
}),
])
})
it("rejects triggering from a non-allowed view", async () => {
const viewId = (
await config.api.viewV2.create(
setup.structures.viewV2.createRequest(tableId)
)
).id
await config.publish()
await config.api.rowAction.trigger(
viewId,
rowAction.id,
{
rowId: row._id!,
},
{
status: 403,
body: {
message: `Row action '${rowAction.id}' is not enabled for view '${viewId}'`,
},
}
)
const automationLogs = await getAutomationLogs()
expect(automationLogs).toEqual([])
})
it("triggers from an allowed view", async () => {
const viewId = (
await config.api.viewV2.create(
setup.structures.viewV2.createRequest(tableId)
)
).id
await config.api.rowAction.setViewPermission(
tableId,
viewId,
rowAction.id
)
await config.publish()
await config.api.rowAction.trigger(viewId, rowAction.id, {
rowId: row._id!,
})
const automationLogs = await getAutomationLogs()
expect(automationLogs).toEqual([
expect.objectContaining({
automationId: rowAction.automationId,
}),
])
})
})
}) })

45
packages/server/src/middleware/triggerRowActionAuthorised.ts Normal file
View File

@ -0,0 +1,45 @@
import { Next } from "koa"
import { Ctx } from "@budibase/types"
import { paramSubResource } from "./resourceId"
import { docIds } from "@budibase/backend-core"
import * as utils from "../db/utils"
import sdk from "../sdk"
export function triggerRowActionAuthorised(
sourcePath: string,
actionPath: string
) {
return async (ctx: Ctx, next: Next) => {
// Reusing the existing middleware to extract the value
paramSubResource(sourcePath, actionPath)(ctx, () => {})
const { resourceId: sourceId, subResourceId: rowActionId } = ctx
const isTableId = docIds.isTableId(sourceId)
const isViewId = utils.isViewID(sourceId)
if (!isTableId && !isViewId) {
ctx.throw(400, `'${sourceId}' is not a valid source id`)
}
const tableId = isTableId
? sourceId
: utils.extractViewInfoFromID(sourceId).tableId
const rowAction = await sdk.rowActions.get(tableId, rowActionId)
if (isTableId && !rowAction.permissions.table.runAllowed) {
ctx.throw(
403,
`Row action '${rowActionId}' is not enabled for table '${sourceId}'`
)
} else if (isViewId && !rowAction.permissions.views[sourceId]?.runAllowed) {
ctx.throw(
403,
`Row action '${rowActionId}' is not enabled for view '${sourceId}'`
)
}
// Enrich tableId
ctx.params.tableId = tableId
return next()
}
}

2
packages/server/src/sdk/app/automations/utils.ts
View File

@ -29,7 +29,7 @@ export async function getBuilderData(
const rowActionNameCache: Record<string, TableRowActions> = {} const rowActionNameCache: Record<string, TableRowActions> = {}
async function getRowActionName(tableId: string, rowActionId: string) { async function getRowActionName(tableId: string, rowActionId: string) {
if (!rowActionNameCache[tableId]) { if (!rowActionNameCache[tableId]) {
rowActionNameCache[tableId] = await sdk.rowActions.get(tableId) rowActionNameCache[tableId] = await sdk.rowActions.getAll(tableId)
} }
return rowActionNameCache[tableId].actions[rowActionId]?.name return rowActionNameCache[tableId].actions[rowActionId]?.name

134
packages/server/src/sdk/app/rowActions.ts
View File

@ -1,12 +1,11 @@
import { context, HTTPError, utils } from "@budibase/backend-core" import { context, HTTPError, utils } from "@budibase/backend-core"
import { import {
AutomationTriggerStepId, AutomationTriggerStepId,
SEPARATOR, SEPARATOR,
TableRowActions, TableRowActions,
VirtualDocumentType, VirtualDocumentType,
} from "@budibase/types" } from "@budibase/types"
import { generateRowActionsID } from "../../db/utils" import { generateRowActionsID, isViewID } from "../../db/utils"
import automations from "./automations" import automations from "./automations"
import { definitions as TRIGGER_DEFINITIONS } from "../../automations/triggerInfo" import { definitions as TRIGGER_DEFINITIONS } from "../../automations/triggerInfo"
import * as triggers from "../../automations/triggers" import * as triggers from "../../automations/triggers"
@ -75,6 +74,10 @@ export async function create(tableId: string, rowAction: { name: string }) {
doc.actions[newRowActionId] = { doc.actions[newRowActionId] = {
name: action.name, name: action.name,
automationId: automation._id!, automationId: automation._id!,
permissions: {
table: { runAllowed: true },
views: {},
},
} }
await db.put(doc) await db.put(doc)
@ -84,7 +87,19 @@ export async function create(tableId: string, rowAction: { name: string }) {
} }
} }
export async function get(tableId: string) { export async function get(tableId: string, rowActionId: string) {
const actionsDoc = await getAll(tableId)
const rowAction = actionsDoc?.actions[rowActionId]
if (!rowAction) {
throw new HTTPError(
`Row action '${rowActionId}' not found in '${tableId}'`,
400
)
}
return rowAction
}
export async function getAll(tableId: string) {
const db = context.getAppDB() const db = context.getAppDB()
const rowActionsId = generateRowActionsID(tableId) const rowActionsId = generateRowActionsID(tableId)
return await db.get<TableRowActions>(rowActionsId) return await db.get<TableRowActions>(rowActionsId)
@ -97,41 +112,15 @@ export async function docExists(tableId: string) {
return result return result
} }
export async function update( async function updateDoc(
tableId: string, tableId: string,
rowActionId: string, rowActionId: string,
rowAction: { name: string } transformer: (
tableRowActions: TableRowActions
) => TableRowActions | Promise<TableRowActions>
) { ) {
const action = { name: rowAction.name.trim() } const actionsDoc = await getAll(tableId)
const actionsDoc = await get(tableId) const rowAction = actionsDoc?.actions[rowActionId]
if (!actionsDoc.actions[rowActionId]) {
throw new HTTPError(
`Row action '${rowActionId}' not found in '${tableId}'`,
400
)
}
ensureUniqueAndThrow(actionsDoc, action.name, rowActionId)
actionsDoc.actions[rowActionId] = {
automationId: actionsDoc.actions[rowActionId].automationId,
...action,
}
const db = context.getAppDB()
await db.put(actionsDoc)
return {
id: rowActionId,
...actionsDoc.actions[rowActionId],
}
}
export async function remove(tableId: string, rowActionId: string) {
const actionsDoc = await get(tableId)
const rowAction = actionsDoc.actions[rowActionId]
if (!rowAction) { if (!rowAction) {
throw new HTTPError( throw new HTTPError(
`Row action '${rowActionId}' not found in '${tableId}'`, `Row action '${rowActionId}' not found in '${tableId}'`,
@ -139,13 +128,76 @@ export async function remove(tableId: string, rowActionId: string) {
) )
} }
const { automationId } = rowAction const updated = await transformer(actionsDoc)
const automation = await automations.get(automationId)
await automations.remove(automation._id, automation._rev)
delete actionsDoc.actions[rowActionId]
const db = context.getAppDB() const db = context.getAppDB()
await db.put(actionsDoc) await db.put(updated)
return {
id: rowActionId,
...updated.actions[rowActionId],
}
}
export async function update(
tableId: string,
rowActionId: string,
rowActionData: { name: string }
) {
const newName = rowActionData.name.trim()
return await updateDoc(tableId, rowActionId, actionsDoc => {
ensureUniqueAndThrow(actionsDoc, newName, rowActionId)
actionsDoc.actions[rowActionId].name = newName
return actionsDoc
})
}
async function guardView(tableId: string, viewId: string) {
let view
if (isViewID(viewId)) {
view = await sdk.views.get(viewId)
}
if (!view || view.tableId !== tableId) {
throw new HTTPError(`View '${viewId}' not found in '${tableId}'`, 400)
}
}
export async function setViewPermission(
tableId: string,
rowActionId: string,
viewId: string
) {
await guardView(tableId, viewId)
return await updateDoc(tableId, rowActionId, async actionsDoc => {
actionsDoc.actions[rowActionId].permissions.views[viewId] = {
runAllowed: true,
}
return actionsDoc
})
}
export async function unsetViewPermission(
tableId: string,
rowActionId: string,
viewId: string
) {
await guardView(tableId, viewId)
return await updateDoc(tableId, rowActionId, async actionsDoc => {
delete actionsDoc.actions[rowActionId].permissions.views[viewId]
return actionsDoc
})
}
export async function remove(tableId: string, rowActionId: string) {
return await updateDoc(tableId, rowActionId, async actionsDoc => {
const { automationId } = actionsDoc.actions[rowActionId]
const automation = await automations.get(automationId)
await automations.remove(automation._id, automation._rev)
delete actionsDoc.actions[rowActionId]
return actionsDoc
})
} }
export async function run(tableId: any, rowActionId: any, rowId: string) { export async function run(tableId: any, rowActionId: any, rowId: string) {
@ -154,7 +206,7 @@ export async function run(tableId: any, rowActionId: any, rowId: string) {
throw new HTTPError("Table not found", 404) throw new HTTPError("Table not found", 404)
} }
const { actions } = await get(tableId) const { actions } = await getAll(tableId)
const rowAction = actions[rowActionId] const rowAction = actions[rowActionId]
if (!rowAction) { if (!rowAction) {

9
packages/server/src/tests/utilities/api/base.ts
View File

@ -40,6 +40,7 @@ export interface RequestOpts {
> >
expectations?: Expectations expectations?: Expectations
publicUser?: boolean publicUser?: boolean
useProdApp?: boolean
} }
export abstract class TestAPI { export abstract class TestAPI {
@ -107,8 +108,12 @@ export abstract class TestAPI {
} }
const headersFn = publicUser const headersFn = publicUser
? this.config.publicHeaders.bind(this.config) ? (_extras = {}) =>
: this.config.defaultHeaders.bind(this.config) this.config.publicHeaders.bind(this.config)({
prodApp: opts?.useProdApp,
})
: (extras = {}) =>
this.config.defaultHeaders.bind(this.config)(extras, opts?.useProdApp)
const app = getServer() const app = getServer()
let req = request(app)[method](url) let req = request(app)[method](url)

58
packages/server/src/tests/utilities/api/rowAction.ts
View File

@ -2,6 +2,7 @@ import {
CreateRowActionRequest, CreateRowActionRequest,
RowActionResponse, RowActionResponse,
RowActionsResponse, RowActionsResponse,
RowActionTriggerRequest,
} from "@budibase/types" } from "@budibase/types"
import { Expectations, TestAPI } from "./base" import { Expectations, TestAPI } from "./base"
@ -17,8 +18,8 @@ export class RowActionAPI extends TestAPI {
{ {
body: rowAction, body: rowAction,
expectations: { expectations: {
status: 201,
...expectations, ...expectations,
status: expectations?.status || 201,
}, },
...config, ...config,
} }
@ -70,4 +71,59 @@ export class RowActionAPI extends TestAPI {
} }
) )
} }
setViewPermission = async (
tableId: string,
viewId: string,
rowActionId: string,
expectations?: Expectations,
config?: { publicUser?: boolean }
) => {
return await this._post<RowActionResponse>(
`/api/tables/${tableId}/actions/${rowActionId}/permissions/${viewId}`,
{
expectations: {
status: 200,
...expectations,
},
...config,
}
)
}
unsetViewPermission = async (
tableId: string,
viewId: string,
rowActionId: string,
expectations?: Expectations,
config?: { publicUser?: boolean }
) => {
return await this._delete<RowActionResponse>(
`/api/tables/${tableId}/actions/${rowActionId}/permissions/${viewId}`,
{
expectations: {
status: 200,
...expectations,
},
...config,
}
)
}
trigger = async (
tableId: string,
rowActionId: string,
body: RowActionTriggerRequest,
expectations?: Expectations,
config?: { publicUser?: boolean; useProdApp?: boolean }
) => {
return await this._post<RowActionResponse>(
`/api/tables/${tableId}/actions/${rowActionId}/trigger`,
{
body,
expectations,
...{ ...config, useProdApp: config?.useProdApp ?? true },
}
)
}
} }

12
packages/server/src/tests/utilities/structures.ts
View File

@ -30,6 +30,7 @@ import {
BBReferenceFieldSubType, BBReferenceFieldSubType,
JsonFieldSubType, JsonFieldSubType,
AutoFieldSubType, AutoFieldSubType,
CreateViewRequest,
} from "@budibase/types" } from "@budibase/types"
import { LoopInput } from "../../definitions/automations" import { LoopInput } from "../../definitions/automations"
import { merge } from "lodash" import { merge } from "lodash"
@ -145,6 +146,17 @@ export function view(tableId: string) {
} }
} }
function viewV2CreateRequest(tableId: string): CreateViewRequest {
return {
tableId,
name: generator.guid(),
}
}
export const viewV2 = {
createRequest: viewV2CreateRequest,
}
export function automationStep( export function automationStep(
actionDefinition = BUILTIN_ACTION_DEFINITIONS.CREATE_ROW actionDefinition = BUILTIN_ACTION_DEFINITIONS.CREATE_ROW
): AutomationStep { ): AutomationStep {

1
packages/types/src/api/web/app/rowAction.ts
View File

@ -8,6 +8,7 @@ export interface RowActionResponse extends RowActionData {
id: string id: string
tableId: string tableId: string
automationId: string automationId: string
allowedViews: string[] | undefined
} }
export interface RowActionsResponse { export interface RowActionsResponse {

17
packages/types/src/documents/app/rowAction.ts
View File

@ -2,11 +2,14 @@ import { Document } from "../document"
export interface TableRowActions extends Document { export interface TableRowActions extends Document {
_id: string _id: string
actions: Record< actions: Record<string, RowActionData>
string, }
{
name: string export interface RowActionData {
automationId: string name: string
} automationId: string
> permissions: {
table: { runAllowed: boolean }
views: Record<string, { runAllowed: boolean }>
}
} }