From 92a0740cef6bd46c36243f44a2dae104afc7f1a2 Mon Sep 17 00:00:00 2001
From: Adria Navarro <adria@budibase.com>
Date: Wed, 4 Sep 2024 11:10:56 +0200
Subject: [PATCH] Proper guarding

---
 .../middleware/triggerRowActionAuthorised.ts  | 46 ++++---------------
 1 file changed, 10 insertions(+), 36 deletions(-)

diff --git a/packages/server/src/middleware/triggerRowActionAuthorised.ts b/packages/server/src/middleware/triggerRowActionAuthorised.ts
index 4cee167350..17f22b7000 100644
--- a/packages/server/src/middleware/triggerRowActionAuthorised.ts
+++ b/packages/server/src/middleware/triggerRowActionAuthorised.ts
@@ -1,6 +1,5 @@
 import { Next } from "koa"
 import { PermissionLevel, PermissionType, UserCtx } from "@budibase/types"
-import { paramSubResource } from "./resourceId"
 import { docIds } from "@budibase/backend-core"
 import * as utils from "../db/utils"
 import sdk from "../sdk"
@@ -12,11 +11,8 @@ export function triggerRowActionAuthorised(
 ) {
   return async (ctx: UserCtx, next: Next) => {
     async function getResourceIds() {
-      // Reusing the existing middleware to extract the value
-      await paramSubResource(sourcePath, actionPath)(ctx, () => {})
-
-      const sourceId: string = ctx.resourceId
-      const rowActionId: string = ctx.subResourceId
+      const sourceId: string = ctx.params[sourcePath]
+      const rowActionId: string = ctx.params[actionPath]
 
       const isTableId = docIds.isTableId(sourceId)
       const isViewId = utils.isViewID(sourceId)
@@ -31,37 +27,17 @@ export function triggerRowActionAuthorised(
       return { tableId, viewId, rowActionId }
     }
 
-    async function guardResourcePermissions(
-      ctx: UserCtx,
-      tableId: string,
-      viewId?: string
-    ) {
-      const { params } = ctx
-      try {
-        if (!viewId) {
-          ctx.params = { tableId }
-          await authorizedResource(
-            PermissionType.TABLE,
-            PermissionLevel.READ,
-            "tableId"
-          )(ctx, () => {})
-        } else {
-          ctx.params = { viewId }
-          await authorizedResource(
-            PermissionType.VIEW,
-            PermissionLevel.READ,
-            "__viewId"
-          )(ctx, () => {})
-        }
-      } finally {
-        ctx.params = params
-      }
-    }
-
     const { tableId, viewId, rowActionId } = await getResourceIds()
 
-    const rowAction = await sdk.rowActions.get(tableId, rowActionId)
+    // Check if the user has permissions to the table/view
+    await authorizedResource(
+      !viewId ? PermissionType.TABLE : PermissionType.VIEW,
+      PermissionLevel.READ,
+      sourcePath
+    )(ctx, () => {})
 
+    // Check is the row action can run for the given view/table
+    const rowAction = await sdk.rowActions.get(tableId, rowActionId)
     if (!viewId && !rowAction.permissions.table.runAllowed) {
       ctx.throw(
         403,
@@ -74,8 +50,6 @@ export function triggerRowActionAuthorised(
       )
     }
 
-    await guardResourcePermissions(ctx, tableId, viewId)
-
     // Enrich tableId
     ctx.params.tableId = tableId
     return next()