Proper guarding
This commit is contained in:
Adria Navarro
parent
00119f9d73
commit
92a0740cef
|
|
@ -1,6 +1,5 @@
|
||||||
import { Next } from "koa"
|
import { Next } from "koa"
|
||||||
import { PermissionLevel, PermissionType, UserCtx } from "@budibase/types"
|
import { PermissionLevel, PermissionType, UserCtx } from "@budibase/types"
|
||||||
import { paramSubResource } from "./resourceId"
|
|
||||||
import { docIds } from "@budibase/backend-core"
|
import { docIds } from "@budibase/backend-core"
|
||||||
import * as utils from "../db/utils"
|
import * as utils from "../db/utils"
|
||||||
import sdk from "../sdk"
|
import sdk from "../sdk"
|
||||||
|
|
@ -12,11 +11,8 @@ export function triggerRowActionAuthorised(
|
||||||
) {
|
) {
|
||||||
return async (ctx: UserCtx, next: Next) => {
|
return async (ctx: UserCtx, next: Next) => {
|
||||||
async function getResourceIds() {
|
async function getResourceIds() {
|
||||||
// Reusing the existing middleware to extract the value
|
const sourceId: string = ctx.params[sourcePath]
|
||||||
await paramSubResource(sourcePath, actionPath)(ctx, () => {})
|
const rowActionId: string = ctx.params[actionPath]
|
||||||
|
|
||||||
const sourceId: string = ctx.resourceId
|
|
||||||
const rowActionId: string = ctx.subResourceId
|
|
||||||
|
|
||||||
const isTableId = docIds.isTableId(sourceId)
|
const isTableId = docIds.isTableId(sourceId)
|
||||||
const isViewId = utils.isViewID(sourceId)
|
const isViewId = utils.isViewID(sourceId)
|
||||||
|
|
@ -31,37 +27,17 @@ export function triggerRowActionAuthorised(
|
||||||
return { tableId, viewId, rowActionId }
|
return { tableId, viewId, rowActionId }
|
||||||
}
|
}
|
||||||
|
|
||||||
async function guardResourcePermissions(
|
|
||||||
ctx: UserCtx,
|
|
||||||
tableId: string,
|
|
||||||
viewId?: string
|
|
||||||
) {
|
|
||||||
const { params } = ctx
|
|
||||||
try {
|
|
||||||
if (!viewId) {
|
|
||||||
ctx.params = { tableId }
|
|
||||||
await authorizedResource(
|
|
||||||
PermissionType.TABLE,
|
|
||||||
PermissionLevel.READ,
|
|
||||||
"tableId"
|
|
||||||
)(ctx, () => {})
|
|
||||||
} else {
|
|
||||||
ctx.params = { viewId }
|
|
||||||
await authorizedResource(
|
|
||||||
PermissionType.VIEW,
|
|
||||||
PermissionLevel.READ,
|
|
||||||
"__viewId"
|
|
||||||
)(ctx, () => {})
|
|
||||||
}
|
|
||||||
} finally {
|
|
||||||
ctx.params = params
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
const { tableId, viewId, rowActionId } = await getResourceIds()
|
const { tableId, viewId, rowActionId } = await getResourceIds()
|
||||||
|
|
||||||
const rowAction = await sdk.rowActions.get(tableId, rowActionId)
|
// Check if the user has permissions to the table/view
|
||||||
|
await authorizedResource(
|
||||||
|
!viewId ? PermissionType.TABLE : PermissionType.VIEW,
|
||||||
|
PermissionLevel.READ,
|
||||||
|
sourcePath
|
||||||
|
)(ctx, () => {})
|
||||||
|
|
||||||
|
// Check is the row action can run for the given view/table
|
||||||
|
const rowAction = await sdk.rowActions.get(tableId, rowActionId)
|
||||||
if (!viewId && !rowAction.permissions.table.runAllowed) {
|
if (!viewId && !rowAction.permissions.table.runAllowed) {
|
||||||
ctx.throw(
|
ctx.throw(
|
||||||
403,
|
403,
|
||||||
|
|
@ -74,8 +50,6 @@ export function triggerRowActionAuthorised(
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
await guardResourcePermissions(ctx, tableId, viewId)
|
|
||||||
|
|
||||||
// Enrich tableId
|
// Enrich tableId
|
||||||
ctx.params.tableId = tableId
|
ctx.params.tableId = tableId
|
||||||
return next()
|
return next()
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue