Split authorized middleware to handle resource id fetch

packages/server/src/api/routes/row.ts

@@ -1,10 +1,11 @@
 import Router from "@koa/router"
 import * as rowController from "../controllers/row"
-import authorized from "../../middleware/authorized"
+import authorized, { authorizedResource } from "../../middleware/authorized"
 import { paramResource, paramSubResource } from "../../middleware/resourceId"
 import { permissions } from "@budibase/backend-core"
 import { internalSearchValidator } from "./utils/validators"
 import trimViewRowInfo from "../../middleware/trimViewRowInfo"
+import { extractViewInfoFromID } from "../../db/utils"
 const { PermissionType, PermissionLevel } = permissions
 
 const router: Router = new Router()
@@ -269,7 +270,8 @@ router
 
 router.post(
   "/api/v2/views/:viewId/search",
-  authorized(PermissionType.TABLE, PermissionLevel.READ),
+  paramResource("viewId", val => extractViewInfoFromID(val).tableId),
+  authorizedResource(PermissionType.TABLE, PermissionLevel.READ),
   rowController.views.searchView
 )
 

packages/server/src/middleware/authorized.ts

@@ -74,7 +74,8 @@ const checkAuthorizedResource = async (
   }
 }
 
-export default (
+const authorized =
+  (
     permType: PermissionType,
     permLevel?: PermissionLevel,
     opts = { schema: false }
@@ -143,3 +144,14 @@ export default (
     // csrf protection
     return csrf(ctx, next)
   }
+
+export default (
+  permType: PermissionType,
+  permLevel?: PermissionLevel,
+  opts = { schema: false }
+) => authorized(permType, permLevel, opts)
+
+export const authorizedResource = (
+  permType: PermissionType,
+  permLevel?: PermissionLevel
+) => authorized(permType, permLevel)

packages/server/src/middleware/resourceId.ts

@@ -43,6 +43,7 @@ export class ResourceIdGetter {
   }
 }
 
+/** @deprecated we should use the authorizedResource middleware instead */
 export function paramResource(main: string) {
   return new ResourceIdGetter("params").mainResource(main).build()
 }