Crud endpoints only for builder

packages/server/src/api/routes/rowAction.ts

@@ -2,9 +2,9 @@ import Router from "@koa/router"
 import Joi from "joi"
 import { middleware, permissions } from "@budibase/backend-core"
 import * as rowActionController from "../controllers/rowAction"
-import { authorizedResource } from "../../middleware/authorized"
+import authorized, { authorizedResource } from "../../middleware/authorized"
 
-const { PermissionLevel, PermissionType } = permissions
+const { PermissionLevel, PermissionType, BUILDER } = permissions
 
 function rowActionValidator() {
   return middleware.joiValidator.body(
@@ -30,34 +30,34 @@ const router: Router = new Router()
 router
   .get(
     "/api/tables/:tableId/actions",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
     rowActionController.find
   )
   .post(
     "/api/tables/:tableId/actions",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
     rowActionValidator(),
     rowActionController.create
   )
   .put(
     "/api/tables/:tableId/actions/:actionId",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
     rowActionValidator(),
     rowActionController.update
   )
   .delete(
     "/api/tables/:tableId/actions/:actionId",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
     rowActionController.remove
   )
   .post(
     "/api/tables/:tableId/actions/:actionId/permissions/:viewId",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
     rowActionController.setViewPermission
   )
   .delete(
     "/api/tables/:tableId/actions/:actionId/permissions/:viewId",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
     rowActionController.unsetViewPermission
   )
 

packages/server/src/api/routes/tests/rowAction.spec.ts

@@ -4,11 +4,13 @@ import tk from "timekeeper"
 import {
   CreateRowActionRequest,
   DocumentType,
+  PermissionLevel,
   RowActionResponse,
 } from "@budibase/types"
 import * as setup from "./utilities"
 import { generator } from "@budibase/backend-core/tests"
 import { Expectations } from "../../../tests/utilities/api/base"
+import { roles } from "@budibase/backend-core"
 
 const expectAutomationId = () =>
   expect.stringMatching(`^${DocumentType.AUTOMATION}_.+`)
@@ -69,6 +71,31 @@ describe("/rowsActions", () => {
       await config.withUser(user, async () => {
         await createRowAction(generator.guid(), createRowActionRequest(), {
           status: 403,
+          body: {
+            message: "Not Authorized",
+          },
+        })
+      })
+    })
+
+    it("returns forbidden (403) for non-builder users even if they have table write permissions", async () => {
+      const user = await config.createUser({
+        builder: {},
+      })
+      const tableId = generator.guid()
+      for (const role of Object.values(roles.BUILTIN_ROLE_IDS)) {
+        await config.api.permission.add({
+          roleId: role,
+          resourceId: tableId,
+          level: PermissionLevel.EXECUTE,
+        })
+      }
+      await config.withUser(user, async () => {
+        await createRowAction(tableId, createRowActionRequest(), {
+          status: 403,
+          body: {
+            message: "Not Authorized",
+          },
         })
       })
     })