Proper guarding

2024-09-04 11:10:56 +02:00 · 2024-09-04 11:10:56 +02:00 · 92a0740cef
parent 00119f9d73
commit 92a0740cef
1 changed files with 10 additions and 36 deletions
--- a/packages/server/src/middleware/triggerRowActionAuthorised.ts
+++ b/packages/server/src/middleware/triggerRowActionAuthorised.ts
@ -1,6 +1,5 @@
 import { Next } from "koa"
 import { PermissionLevel, PermissionType, UserCtx } from "@budibase/types"
-import { paramSubResource } from "./resourceId"
 import { docIds } from "@budibase/backend-core"
 import * as utils from "../db/utils"
 import sdk from "../sdk"
@ -12,11 +11,8 @@ export function triggerRowActionAuthorised(
 ) {
  return async (ctx: UserCtx, next: Next) => {
    async function getResourceIds() {
-      // Reusing the existing middleware to extract the value
-      await paramSubResource(sourcePath, actionPath)(ctx, () => {})
-
-      const sourceId: string = ctx.resourceId
-      const rowActionId: string = ctx.subResourceId
+      const sourceId: string = ctx.params[sourcePath]
+      const rowActionId: string = ctx.params[actionPath]

      const isTableId = docIds.isTableId(sourceId)
      const isViewId = utils.isViewID(sourceId)
@ -31,37 +27,17 @@ export function triggerRowActionAuthorised(
      return { tableId, viewId, rowActionId }
    }

-    async function guardResourcePermissions(
-      ctx: UserCtx,
-      tableId: string,
-      viewId?: string
-    ) {
-      const { params } = ctx
-      try {
-        if (!viewId) {
-          ctx.params = { tableId }
-          await authorizedResource(
-            PermissionType.TABLE,
-            PermissionLevel.READ,
-            "tableId"
-          )(ctx, () => {})
-        } else {
-          ctx.params = { viewId }
-          await authorizedResource(
-            PermissionType.VIEW,
-            PermissionLevel.READ,
-            "__viewId"
-          )(ctx, () => {})
-        }
-      } finally {
-        ctx.params = params
-      }
-    }
-
    const { tableId, viewId, rowActionId } = await getResourceIds()

-    const rowAction = await sdk.rowActions.get(tableId, rowActionId)
+    // Check if the user has permissions to the table/view
+    await authorizedResource(
+      !viewId ? PermissionType.TABLE : PermissionType.VIEW,
+      PermissionLevel.READ,
+      sourcePath
+    )(ctx, () => {})

+    // Check is the row action can run for the given view/table
+    const rowAction = await sdk.rowActions.get(tableId, rowActionId)
    if (!viewId && !rowAction.permissions.table.runAllowed) {
      ctx.throw(
        403,
@ -74,8 +50,6 @@ export function triggerRowActionAuthorised(
      )
    }

-    await guardResourcePermissions(ctx, tableId, viewId)
-
    // Enrich tableId
    ctx.params.tableId = tableId
    return next()