Merge pull request #14853 from Budibase/fix/role-validation

Role validation - allow permissionId to be optional
This commit is contained in:
Michael Drury 2024-10-23 15:45:50 +01:00 committed by GitHub
commit 9d05f32409
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 104 additions and 60 deletions

View File

@ -1,4 +1,8 @@
import { PermissionLevel, PermissionType } from "@budibase/types" import {
PermissionLevel,
PermissionType,
BuiltinPermissionID,
} from "@budibase/types"
import flatten from "lodash/flatten" import flatten from "lodash/flatten"
import cloneDeep from "lodash/fp/cloneDeep" import cloneDeep from "lodash/fp/cloneDeep"
@ -57,14 +61,6 @@ export function getAllowedLevels(userPermLevel: PermissionLevel): string[] {
} }
} }
export enum BuiltinPermissionID {
PUBLIC = "public",
READ_ONLY = "read_only",
WRITE = "write",
ADMIN = "admin",
POWER = "power",
}
export const BUILTIN_PERMISSIONS: { export const BUILTIN_PERMISSIONS: {
[key in keyof typeof BuiltinPermissionID]: { [key in keyof typeof BuiltinPermissionID]: {
_id: (typeof BuiltinPermissionID)[key] _id: (typeof BuiltinPermissionID)[key]

View File

@ -1,5 +1,4 @@
import semver from "semver" import semver from "semver"
import { BuiltinPermissionID, PermissionLevel } from "./permissions"
import { import {
prefixRoleID, prefixRoleID,
getRoleParams, getRoleParams,
@ -14,6 +13,8 @@ import {
RoleUIMetadata, RoleUIMetadata,
Database, Database,
App, App,
BuiltinPermissionID,
PermissionLevel,
} from "@budibase/types" } from "@budibase/types"
import cloneDeep from "lodash/fp/cloneDeep" import cloneDeep from "lodash/fp/cloneDeep"
import { RoleColor, helpers } from "@budibase/shared-core" import { RoleColor, helpers } from "@budibase/shared-core"
@ -50,7 +51,7 @@ export class Role implements RoleDoc {
_id: string _id: string
_rev?: string _rev?: string
name: string name: string
permissionId: string permissionId: BuiltinPermissionID
inherits?: string | string[] inherits?: string | string[]
version?: string version?: string
permissions: Record<string, PermissionLevel[]> = {} permissions: Record<string, PermissionLevel[]> = {}
@ -59,7 +60,7 @@ export class Role implements RoleDoc {
constructor( constructor(
id: string, id: string,
name: string, name: string,
permissionId: string, permissionId: BuiltinPermissionID,
uiMetadata?: RoleUIMetadata uiMetadata?: RoleUIMetadata
) { ) {
this._id = id this._id = id

View File

@ -1,6 +1,7 @@
import cloneDeep from "lodash/cloneDeep" import cloneDeep from "lodash/cloneDeep"
import * as permissions from "../permissions" import * as permissions from "../permissions"
import { BUILTIN_ROLE_IDS } from "../roles" import { BUILTIN_ROLE_IDS } from "../roles"
import { BuiltinPermissionID } from "@budibase/types"
describe("levelToNumber", () => { describe("levelToNumber", () => {
it("should return 0 for EXECUTE", () => { it("should return 0 for EXECUTE", () => {
@ -77,7 +78,7 @@ describe("doesHaveBasePermission", () => {
const rolesHierarchy = [ const rolesHierarchy = [
{ {
roleId: BUILTIN_ROLE_IDS.ADMIN, roleId: BUILTIN_ROLE_IDS.ADMIN,
permissionId: permissions.BuiltinPermissionID.ADMIN, permissionId: BuiltinPermissionID.ADMIN,
}, },
] ]
expect( expect(
@ -91,7 +92,7 @@ describe("doesHaveBasePermission", () => {
const rolesHierarchy = [ const rolesHierarchy = [
{ {
roleId: BUILTIN_ROLE_IDS.PUBLIC, roleId: BUILTIN_ROLE_IDS.PUBLIC,
permissionId: permissions.BuiltinPermissionID.PUBLIC, permissionId: BuiltinPermissionID.PUBLIC,
}, },
] ]
expect( expect(
@ -129,7 +130,7 @@ describe("getBuiltinPermissions", () => {
describe("getBuiltinPermissionByID", () => { describe("getBuiltinPermissionByID", () => {
it("returns correct permission object for valid ID", () => { it("returns correct permission object for valid ID", () => {
const expectedPermission = { const expectedPermission = {
_id: permissions.BuiltinPermissionID.PUBLIC, _id: BuiltinPermissionID.PUBLIC,
name: "Public", name: "Public",
permissions: [ permissions: [
new permissions.Permission( new permissions.Permission(

View File

@ -18,7 +18,7 @@ import {
UserCtx, UserCtx,
UserMetadata, UserMetadata,
DocumentType, DocumentType,
PermissionLevel, BuiltinPermissionID,
} from "@budibase/types" } from "@budibase/types"
import { RoleColor, sdk as sharedSdk, helpers } from "@budibase/shared-core" import { RoleColor, sdk as sharedSdk, helpers } from "@budibase/shared-core"
import sdk from "../../sdk" import sdk from "../../sdk"
@ -134,7 +134,13 @@ export async function save(ctx: UserCtx<SaveRoleRequest, SaveRoleResponse>) {
} }
// assume write permission level for newly created roles // assume write permission level for newly created roles
if (isCreate && !permissionId) { if (isCreate && !permissionId) {
permissionId = PermissionLevel.WRITE permissionId = BuiltinPermissionID.WRITE
} else if (!permissionId && dbRole?.permissionId) {
permissionId = dbRole.permissionId
}
if (!permissionId) {
ctx.throw(400, "Role requires permissionId to be specified.")
} }
const role = new roles.Role(_id, name, permissionId, { const role = new roles.Role(_id, name, permissionId, {

View File

@ -16,7 +16,7 @@ import * as setup from "./utilities"
import { AppStatus } from "../../../db/utils" import { AppStatus } from "../../../db/utils"
import { events, utils, context, features } from "@budibase/backend-core" import { events, utils, context, features } from "@budibase/backend-core"
import env from "../../../environment" import env from "../../../environment"
import { type App } from "@budibase/types" import { type App, BuiltinPermissionID } from "@budibase/types"
import tk from "timekeeper" import tk from "timekeeper"
import * as uuid from "uuid" import * as uuid from "uuid"
import { structures } from "@budibase/backend-core/tests" import { structures } from "@budibase/backend-core/tests"
@ -80,7 +80,7 @@ describe("/applications", () => {
const role = await config.api.roles.save({ const role = await config.api.roles.save({
name: "Test", name: "Test",
inherits: "PUBLIC", inherits: "PUBLIC",
permissionId: "read_only", permissionId: BuiltinPermissionID.READ_ONLY,
version: "name", version: "name",
}) })
@ -112,7 +112,7 @@ describe("/applications", () => {
const role = await config.api.roles.save({ const role = await config.api.roles.save({
name: roleName, name: roleName,
inherits: "PUBLIC", inherits: "PUBLIC",
permissionId: "read_only", permissionId: BuiltinPermissionID.READ_ONLY,
version: "name", version: "name",
}) })

View File

@ -1,5 +1,12 @@
import { roles } from "@budibase/backend-core" import { roles } from "@budibase/backend-core"
import { Document, PermissionLevel, Role, Row, Table } from "@budibase/types" import {
BuiltinPermissionID,
Document,
PermissionLevel,
Role,
Row,
Table,
} from "@budibase/types"
import * as setup from "./utilities" import * as setup from "./utilities"
import { generator, mocks } from "@budibase/backend-core/tests" import { generator, mocks } from "@budibase/backend-core/tests"
@ -304,7 +311,7 @@ describe("/permission", () => {
role1 = await config.api.roles.save( role1 = await config.api.roles.save(
{ {
name: "test_1", name: "test_1",
permissionId: PermissionLevel.WRITE, permissionId: BuiltinPermissionID.WRITE,
inherits: BUILTIN_ROLE_IDS.BASIC, inherits: BUILTIN_ROLE_IDS.BASIC,
}, },
{ status: 200 } { status: 200 }
@ -312,7 +319,7 @@ describe("/permission", () => {
role2 = await config.api.roles.save( role2 = await config.api.roles.save(
{ {
name: "test_2", name: "test_2",
permissionId: PermissionLevel.WRITE, permissionId: BuiltinPermissionID.WRITE,
inherits: BUILTIN_ROLE_IDS.BASIC, inherits: BUILTIN_ROLE_IDS.BASIC,
}, },
{ status: 200 } { status: 200 }
@ -345,7 +352,7 @@ describe("/permission", () => {
it("should be able to fetch two tables, with different roles, using multi-inheritance", async () => { it("should be able to fetch two tables, with different roles, using multi-inheritance", async () => {
const role3 = await config.api.roles.save({ const role3 = await config.api.roles.save({
name: "role3", name: "role3",
permissionId: PermissionLevel.WRITE, permissionId: BuiltinPermissionID.WRITE,
inherits: [role1._id!, role2._id!], inherits: [role1._id!, role2._id!],
}) })

View File

@ -1,15 +1,9 @@
import { import { roles, events, db as dbCore } from "@budibase/backend-core"
roles,
events,
permissions,
db as dbCore,
} from "@budibase/backend-core"
import * as setup from "./utilities" import * as setup from "./utilities"
import { PermissionLevel } from "@budibase/types" import { PermissionLevel, BuiltinPermissionID } from "@budibase/types"
const { basicRole } = setup.structures const { basicRole } = setup.structures
const { BUILTIN_ROLE_IDS } = roles const { BUILTIN_ROLE_IDS } = roles
const { BuiltinPermissionID } = permissions
const LOOP_ERROR = "Role inheritance contains a loop, this is not supported" const LOOP_ERROR = "Role inheritance contains a loop, this is not supported"
@ -58,6 +52,19 @@ describe("/roles", () => {
}) })
expect(res.inherits).toEqual([BUILTIN_ROLE_IDS.BASIC]) expect(res.inherits).toEqual([BUILTIN_ROLE_IDS.BASIC])
}) })
it("save role without permissionId", async () => {
const res = await config.api.roles.save(
{
...basicRole(),
permissionId: undefined,
},
{
status: 200,
}
)
expect(res.permissionId).toEqual(PermissionLevel.WRITE)
})
}) })
describe("update", () => { describe("update", () => {
@ -149,7 +156,7 @@ describe("/roles", () => {
_id: id1, _id: id1,
name: id1, name: id1,
permissions: {}, permissions: {},
permissionId: "write", permissionId: BuiltinPermissionID.WRITE,
version: "name", version: "name",
inherits: ["POWER"], inherits: ["POWER"],
}) })
@ -157,7 +164,7 @@ describe("/roles", () => {
_id: id2, _id: id2,
permissions: {}, permissions: {},
name: id2, name: id2,
permissionId: "write", permissionId: BuiltinPermissionID.WRITE,
version: "name", version: "name",
inherits: [id1], inherits: [id1],
}) })
@ -176,10 +183,25 @@ describe("/roles", () => {
inherits: [BUILTIN_ROLE_IDS.ADMIN], inherits: [BUILTIN_ROLE_IDS.ADMIN],
}) })
// remove the roles so that it will default back to DB roles, then save again // remove the roles so that it will default back to DB roles, then save again
delete res.inherits const updatedRes = await config.api.roles.save({
const updatedRes = await config.api.roles.save(res) ...res,
inherits: undefined,
})
expect(updatedRes.inherits).toEqual([BUILTIN_ROLE_IDS.ADMIN]) expect(updatedRes.inherits).toEqual([BUILTIN_ROLE_IDS.ADMIN])
}) })
it("handle updating a role, without its permissionId", async () => {
const res = await config.api.roles.save({
...basicRole(),
permissionId: BuiltinPermissionID.READ_ONLY,
})
// permission ID can be removed during update
const updatedRes = await config.api.roles.save({
...res,
permissionId: undefined,
})
expect(updatedRes.permissionId).toEqual(BuiltinPermissionID.READ_ONLY)
})
}) })
describe("fetch", () => { describe("fetch", () => {
@ -210,9 +232,7 @@ describe("/roles", () => {
const customRoleFetched = res.find(r => r._id === customRole.name) const customRoleFetched = res.find(r => r._id === customRole.name)
expect(customRoleFetched).toBeDefined() expect(customRoleFetched).toBeDefined()
expect(customRoleFetched!.inherits).toEqual(BUILTIN_ROLE_IDS.BASIC) expect(customRoleFetched!.inherits).toEqual(BUILTIN_ROLE_IDS.BASIC)
expect(customRoleFetched!.permissionId).toEqual( expect(customRoleFetched!.permissionId).toEqual(BuiltinPermissionID.WRITE)
BuiltinPermissionID.READ_ONLY
)
}) })
it("should be able to get the role with a permission added", async () => { it("should be able to get the role with a permission added", async () => {
@ -316,7 +336,7 @@ describe("/roles", () => {
await config.api.roles.save({ await config.api.roles.save({
name: customRoleName, name: customRoleName,
inherits: roles.BUILTIN_ROLE_IDS.BASIC, inherits: roles.BUILTIN_ROLE_IDS.BASIC,
permissionId: permissions.BuiltinPermissionID.READ_ONLY, permissionId: BuiltinPermissionID.READ_ONLY,
version: "name", version: "name",
}) })
await config.withHeaders( await config.withHeaders(
@ -356,19 +376,19 @@ describe("/roles", () => {
const { _id: roleId1 } = await config.api.roles.save({ const { _id: roleId1 } = await config.api.roles.save({
name: role1, name: role1,
inherits: roles.BUILTIN_ROLE_IDS.BASIC, inherits: roles.BUILTIN_ROLE_IDS.BASIC,
permissionId: permissions.BuiltinPermissionID.WRITE, permissionId: BuiltinPermissionID.WRITE,
version: "name", version: "name",
}) })
const { _id: roleId2 } = await config.api.roles.save({ const { _id: roleId2 } = await config.api.roles.save({
name: role2, name: role2,
inherits: roles.BUILTIN_ROLE_IDS.POWER, inherits: roles.BUILTIN_ROLE_IDS.POWER,
permissionId: permissions.BuiltinPermissionID.POWER, permissionId: BuiltinPermissionID.POWER,
version: "name", version: "name",
}) })
await config.api.roles.save({ await config.api.roles.save({
name: role3, name: role3,
inherits: [roleId1!, roleId2!], inherits: [roleId1!, roleId2!],
permissionId: permissions.BuiltinPermissionID.READ_ONLY, permissionId: BuiltinPermissionID.READ_ONLY,
version: "name", version: "name",
}) })
const headers = await config.roleHeaders({ const headers = await config.roleHeaders({

View File

@ -1,7 +1,7 @@
import { checkBuilderEndpoint } from "./utilities/TestFunctions" import { checkBuilderEndpoint } from "./utilities/TestFunctions"
import * as setup from "./utilities" import * as setup from "./utilities"
import { events, roles } from "@budibase/backend-core" import { events, roles } from "@budibase/backend-core"
import { Screen, PermissionLevel, Role } from "@budibase/types" import { Screen, Role, BuiltinPermissionID } from "@budibase/types"
const { basicScreen } = setup.structures const { basicScreen } = setup.structures
@ -40,17 +40,17 @@ describe("/screens", () => {
role1 = await config.api.roles.save({ role1 = await config.api.roles.save({
name: "role1", name: "role1",
inherits: roles.BUILTIN_ROLE_IDS.BASIC, inherits: roles.BUILTIN_ROLE_IDS.BASIC,
permissionId: PermissionLevel.WRITE, permissionId: BuiltinPermissionID.WRITE,
}) })
role2 = await config.api.roles.save({ role2 = await config.api.roles.save({
name: "role2", name: "role2",
inherits: roles.BUILTIN_ROLE_IDS.BASIC, inherits: roles.BUILTIN_ROLE_IDS.BASIC,
permissionId: PermissionLevel.WRITE, permissionId: BuiltinPermissionID.WRITE,
}) })
multiRole = await config.api.roles.save({ multiRole = await config.api.roles.save({
name: "multiRole", name: "multiRole",
inherits: [role1._id!, role2._id!], inherits: [role1._id!, role2._id!],
permissionId: PermissionLevel.WRITE, permissionId: BuiltinPermissionID.WRITE,
}) })
screen1 = await config.api.screen.save( screen1 = await config.api.screen.save(
{ {

View File

@ -8,6 +8,7 @@ import {
SearchFilters, SearchFilters,
Table, Table,
WebhookActionType, WebhookActionType,
BuiltinPermissionID,
} from "@budibase/types" } from "@budibase/types"
import Joi, { CustomValidator } from "joi" import Joi, { CustomValidator } from "joi"
import { ValidSnippetNameRegex, helpers } from "@budibase/shared-core" import { ValidSnippetNameRegex, helpers } from "@budibase/shared-core"
@ -214,8 +215,8 @@ export function roleValidator() {
}).optional(), }).optional(),
// this is the base permission ID (for now a built in) // this is the base permission ID (for now a built in)
permissionId: Joi.string() permissionId: Joi.string()
.valid(...Object.values(permissions.BuiltinPermissionID)) .valid(...Object.values(BuiltinPermissionID))
.required(), .optional(),
permissions: Joi.object() permissions: Joi.object()
.pattern( .pattern(
/.*/, /.*/,

View File

@ -1,4 +1,4 @@
import { permissions, roles, utils } from "@budibase/backend-core" import { roles, utils } from "@budibase/backend-core"
import { createHomeScreen } from "../../constants/screens" import { createHomeScreen } from "../../constants/screens"
import { EMPTY_LAYOUT } from "../../constants/layouts" import { EMPTY_LAYOUT } from "../../constants/layouts"
import { cloneDeep } from "lodash/fp" import { cloneDeep } from "lodash/fp"
@ -33,6 +33,7 @@ import {
TableSourceType, TableSourceType,
Webhook, Webhook,
WebhookActionType, WebhookActionType,
BuiltinPermissionID,
} from "@budibase/types" } from "@budibase/types"
import { LoopInput } from "../../definitions/automations" import { LoopInput } from "../../definitions/automations"
import { merge } from "lodash" import { merge } from "lodash"
@ -515,7 +516,7 @@ export function basicRole(): Role {
return { return {
name: `NewRole_${utils.newid()}`, name: `NewRole_${utils.newid()}`,
inherits: roles.BUILTIN_ROLE_IDS.BASIC, inherits: roles.BUILTIN_ROLE_IDS.BASIC,
permissionId: permissions.BuiltinPermissionID.READ_ONLY, permissionId: BuiltinPermissionID.WRITE,
permissions: {}, permissions: {},
version: "name", version: "name",
} }

View File

@ -1,5 +1,5 @@
import { checkForRoleInheritanceLoops } from "../roles" import { checkForRoleInheritanceLoops } from "../roles"
import { Role } from "@budibase/types" import { BuiltinPermissionID, Role } from "@budibase/types"
/** /**
* This unit test exists as this utility will be used in the frontend and backend, confirmation * This unit test exists as this utility will be used in the frontend and backend, confirmation
@ -19,7 +19,7 @@ function role(id: string, inherits: string | string[]): TestRole {
_id: id, _id: id,
inherits: inherits, inherits: inherits,
name: "ROLE", name: "ROLE",
permissionId: "PERMISSION", permissionId: BuiltinPermissionID.WRITE,
permissions: {}, // not needed for this test permissions: {}, // not needed for this test
} }
allRoles.push(role) allRoles.push(role)

View File

@ -1,12 +1,12 @@
import { Role, RoleUIMetadata } from "../../documents" import { Role, RoleUIMetadata } from "../../documents"
import { PermissionLevel } from "../../sdk" import { PermissionLevel, BuiltinPermissionID } from "../../sdk"
export interface SaveRoleRequest { export interface SaveRoleRequest {
_id?: string _id?: string
_rev?: string _rev?: string
name: string name: string
inherits?: string | string[] inherits?: string | string[]
permissionId: string permissionId?: BuiltinPermissionID
permissions?: Record<string, PermissionLevel[]> permissions?: Record<string, PermissionLevel[]>
version?: string version?: string
uiMetadata?: RoleUIMetadata uiMetadata?: RoleUIMetadata

View File

@ -1,5 +1,5 @@
import { Document } from "../document" import { Document } from "../document"
import { PermissionLevel } from "../../sdk" import { PermissionLevel, BuiltinPermissionID } from "../../sdk"
export interface RoleUIMetadata { export interface RoleUIMetadata {
displayName?: string displayName?: string
@ -8,7 +8,7 @@ export interface RoleUIMetadata {
} }
export interface Role extends Document { export interface Role extends Document {
permissionId: string permissionId: BuiltinPermissionID
inherits?: string | string[] inherits?: string | string[]
permissions: Record<string, PermissionLevel[]> permissions: Record<string, PermissionLevel[]>
version?: string version?: string

View File

@ -1,3 +1,5 @@
// used in resource permissions - permissions can be at one of these levels
// endpoints will set what type of permission they require (e.g. searching requires READ)
export enum PermissionLevel { export enum PermissionLevel {
READ = "read", READ = "read",
WRITE = "write", WRITE = "write",
@ -5,6 +7,15 @@ export enum PermissionLevel {
ADMIN = "admin", ADMIN = "admin",
} }
// used within the role, specifies base permissions
export enum BuiltinPermissionID {
PUBLIC = "public",
READ_ONLY = "read_only",
WRITE = "write",
ADMIN = "admin",
POWER = "power",
}
// these are the global types, that govern the underlying default behaviour // these are the global types, that govern the underlying default behaviour
export enum PermissionType { export enum PermissionType {
APP = "app", APP = "app",

View File

@ -1,6 +1,6 @@
import { structures, TestConfiguration } from "../../../../tests" import { structures, TestConfiguration } from "../../../../tests"
import { context, db, permissions, roles } from "@budibase/backend-core" import { context, db, roles } from "@budibase/backend-core"
import { App, Database } from "@budibase/types" import { App, Database, BuiltinPermissionID } from "@budibase/types"
jest.mock("@budibase/backend-core", () => { jest.mock("@budibase/backend-core", () => {
const core = jest.requireActual("@budibase/backend-core") const core = jest.requireActual("@budibase/backend-core")
@ -44,7 +44,7 @@ describe("/api/global/roles", () => {
const role = new roles.Role( const role = new roles.Role(
db.generateRoleID(ROLE_NAME), db.generateRoleID(ROLE_NAME),
ROLE_NAME, ROLE_NAME,
permissions.BuiltinPermissionID.READ_ONLY, BuiltinPermissionID.READ_ONLY,
{ displayName: roles.BUILTIN_ROLE_IDS.BASIC } { displayName: roles.BUILTIN_ROLE_IDS.BASIC }
) )