Merge branch 'spectrum-bbui' of github.com:Budibase/budibase into spectrum-bbui

packages/server/src/api/controllers/search/index.js

@@ -3,14 +3,15 @@ const { QueryBuilder, buildSearchUrl, search } = require("./utils")
 exports.rowSearch = async ctx => {
   // this can't be done through pouch, have to reach for trusty node-fetch
   const appId = ctx.user.appId
-  const bookmark = ctx.params.bookmark
+  const { tableId } = ctx.params
+  const { bookmark, query, raw } = ctx.request.body
   let url
-  if (ctx.params.query) {
+  if (query) {
-    url = new QueryBuilder(appId, ctx.params.query, bookmark).complete()
+    url = new QueryBuilder(appId, query, bookmark).addTable(tableId).complete()
-  } else if (ctx.params.raw) {
+  } else if (raw) {
     url = buildSearchUrl({
       appId,
-      query: ctx.params.raw,
+      query: raw,
       bookmark,
     })
   }

packages/server/src/api/routes/auth.js

@@ -4,6 +4,7 @@ const controller = require("../controllers/auth")
 const router = Router()
 
 router.post("/api/authenticate", controller.authenticate)
+// doesn't need authorization as can only fetch info about self
 router.get("/api/self", controller.fetchSelf)
 
 module.exports = router

packages/server/src/api/routes/search.js

@@ -1,8 +1,19 @@
 const Router = require("@koa/router")
 const controller = require("../controllers/search")
+const {
+  PermissionTypes,
+  PermissionLevels,
+} = require("../../utilities/security/permissions")
+const authorized = require("../../middleware/authorized")
+const { paramResource } = require("../../middleware/resourceId")
 
 const router = Router()
 
-router.get("/api/search/rows", controller.rowSearch)
+router.post(
+  "/api/search/:tableId/rows",
+  paramResource("tableId"),
+  authorized(PermissionTypes.TABLE, PermissionLevels.READ),
+  controller.rowSearch
+)
 
 module.exports = router

packages/server/src/api/routes/static.js

@@ -2,7 +2,11 @@ const Router = require("@koa/router")
 const controller = require("../controllers/static")
 const { budibaseTempDir } = require("../../utilities/budibaseDir")
 const authorized = require("../../middleware/authorized")
-const { BUILDER } = require("../../utilities/security/permissions")
+const {
+  BUILDER,
+  PermissionTypes,
+  PermissionLevels,
+} = require("../../utilities/security/permissions")
 const usage = require("../../middleware/usageQuota")
 const env = require("../../environment")
 
@@ -34,8 +38,14 @@ router
   // TODO: for now this builder endpoint is not authorized/secured, will need to be
   .get("/builder/:file*", controller.serveBuilder)
   .post("/api/attachments/process", authorized(BUILDER), controller.uploadFile)
-  .post("/api/attachments/upload", usage, controller.uploadFile)
+  .post(
+    "/api/attachments/upload",
+    authorized(PermissionTypes.TABLE, PermissionLevels.WRITE),
+    usage,
+    controller.uploadFile
+  )
   .get("/componentlibrary", controller.serveComponentLibrary)
+  // TODO: this likely needs to be secured in some way
   .get("/:appId/:path*", controller.serveApp)
 
 module.exports = router

packages/server/src/middleware/authorized.js

@@ -39,7 +39,6 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
   }
 
   const role = ctx.user.role
-  const isBuilder = role._id === BUILTIN_ROLE_IDS.BUILDER
   const isAdmin = ADMIN_ROLES.includes(role._id)
   const isAuthed = ctx.auth.authenticated