diff --git a/packages/server/src/api/routes/rowAction.ts b/packages/server/src/api/routes/rowAction.ts index 0fa0e07673..34b4ee9fe3 100644 --- a/packages/server/src/api/routes/rowAction.ts +++ b/packages/server/src/api/routes/rowAction.ts @@ -2,9 +2,9 @@ import Router from "@koa/router" import Joi from "joi" import { middleware, permissions } from "@budibase/backend-core" import * as rowActionController from "../controllers/rowAction" -import { authorizedResource } from "../../middleware/authorized" +import authorized, { authorizedResource } from "../../middleware/authorized" -const { PermissionLevel, PermissionType } = permissions +const { PermissionLevel, PermissionType, BUILDER } = permissions function rowActionValidator() { return middleware.joiValidator.body( @@ -30,34 +30,34 @@ const router: Router = new Router() router .get( "/api/tables/:tableId/actions", - authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), + authorized(BUILDER), rowActionController.find ) .post( "/api/tables/:tableId/actions", - authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), + authorized(BUILDER), rowActionValidator(), rowActionController.create ) .put( "/api/tables/:tableId/actions/:actionId", - authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), + authorized(BUILDER), rowActionValidator(), rowActionController.update ) .delete( "/api/tables/:tableId/actions/:actionId", - authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), + authorized(BUILDER), rowActionController.remove ) .post( "/api/tables/:tableId/actions/:actionId/permissions/:viewId", - authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), + authorized(BUILDER), rowActionController.setViewPermission ) .delete( "/api/tables/:tableId/actions/:actionId/permissions/:viewId", - authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"), + authorized(BUILDER), rowActionController.unsetViewPermission ) diff --git a/packages/server/src/api/routes/tests/rowAction.spec.ts b/packages/server/src/api/routes/tests/rowAction.spec.ts index c9c2b2ced0..fae8828c0a 100644 --- a/packages/server/src/api/routes/tests/rowAction.spec.ts +++ b/packages/server/src/api/routes/tests/rowAction.spec.ts @@ -4,11 +4,13 @@ import tk from "timekeeper" import { CreateRowActionRequest, DocumentType, + PermissionLevel, RowActionResponse, } from "@budibase/types" import * as setup from "./utilities" import { generator } from "@budibase/backend-core/tests" import { Expectations } from "../../../tests/utilities/api/base" +import { roles } from "@budibase/backend-core" const expectAutomationId = () => expect.stringMatching(`^${DocumentType.AUTOMATION}_.+`) @@ -69,6 +71,31 @@ describe("/rowsActions", () => { await config.withUser(user, async () => { await createRowAction(generator.guid(), createRowActionRequest(), { status: 403, + body: { + message: "Not Authorized", + }, + }) + }) + }) + + it("returns forbidden (403) for non-builder users even if they have table write permissions", async () => { + const user = await config.createUser({ + builder: {}, + }) + const tableId = generator.guid() + for (const role of Object.values(roles.BUILTIN_ROLE_IDS)) { + await config.api.permission.add({ + roleId: role, + resourceId: tableId, + level: PermissionLevel.EXECUTE, + }) + } + await config.withUser(user, async () => { + await createRowAction(tableId, createRowActionRequest(), { + status: 403, + body: { + message: "Not Authorized", + }, }) }) })