From 9a15277fa1474dde4f435f189acc992000e3643c Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Thu, 24 Aug 2023 09:11:54 +0200 Subject: [PATCH] Split authorized middleware to handle resource id fetch --- packages/server/src/api/routes/row.ts | 6 ++++-- packages/server/src/middleware/authorized.ts | 14 +++++++++++++- packages/server/src/middleware/resourceId.ts | 1 + 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/packages/server/src/api/routes/row.ts b/packages/server/src/api/routes/row.ts index a4ac8aa3ee..60bc4e0735 100644 --- a/packages/server/src/api/routes/row.ts +++ b/packages/server/src/api/routes/row.ts @@ -1,10 +1,11 @@ import Router from "@koa/router" import * as rowController from "../controllers/row" -import authorized from "../../middleware/authorized" +import authorized, { authorizedResource } from "../../middleware/authorized" import { paramResource, paramSubResource } from "../../middleware/resourceId" import { permissions } from "@budibase/backend-core" import { internalSearchValidator } from "./utils/validators" import trimViewRowInfo from "../../middleware/trimViewRowInfo" +import { extractViewInfoFromID } from "../../db/utils" const { PermissionType, PermissionLevel } = permissions const router: Router = new Router() @@ -269,7 +270,8 @@ router router.post( "/api/v2/views/:viewId/search", - authorized(PermissionType.TABLE, PermissionLevel.READ), + paramResource("viewId", val => extractViewInfoFromID(val).tableId), + authorizedResource(PermissionType.TABLE, PermissionLevel.READ), rowController.views.searchView ) diff --git a/packages/server/src/middleware/authorized.ts b/packages/server/src/middleware/authorized.ts index 915344f747..930fb0f0ea 100644 --- a/packages/server/src/middleware/authorized.ts +++ b/packages/server/src/middleware/authorized.ts @@ -74,7 +74,8 @@ const checkAuthorizedResource = async ( } } -export default ( +const authorized = + ( permType: PermissionType, permLevel?: PermissionLevel, opts = { schema: false } @@ -143,3 +144,14 @@ export default ( // csrf protection return csrf(ctx, next) } + +export default ( + permType: PermissionType, + permLevel?: PermissionLevel, + opts = { schema: false } +) => authorized(permType, permLevel, opts) + +export const authorizedResource = ( + permType: PermissionType, + permLevel?: PermissionLevel +) => authorized(permType, permLevel) diff --git a/packages/server/src/middleware/resourceId.ts b/packages/server/src/middleware/resourceId.ts index 0917941061..1ad0b2a0c1 100644 --- a/packages/server/src/middleware/resourceId.ts +++ b/packages/server/src/middleware/resourceId.ts @@ -43,6 +43,7 @@ export class ResourceIdGetter { } } +/** @deprecated we should use the authorizedResource middleware instead */ export function paramResource(main: string) { return new ResourceIdGetter("params").mainResource(main).build() }