Removing the ability to set roles, builder and admin structure through basic public API.

This commit is contained in:
mike12345567 2023-08-04 15:43:02 +01:00
parent 13ae01bcf4
commit a2667c6d72
6 changed files with 60 additions and 51 deletions

View File

@ -3,6 +3,8 @@ import { search as stringSearch, addRev } from "./utils"
import * as controller from "../application" import * as controller from "../application"
import * as deployController from "../deploy" import * as deployController from "../deploy"
import { Application } from "../../../definitions/common" import { Application } from "../../../definitions/common"
import { UserCtx } from "@budibase/types"
import { Next } from "koa"
function fixAppID(app: Application, params: any) { function fixAppID(app: Application, params: any) {
if (!params) { if (!params) {
@ -14,7 +16,7 @@ function fixAppID(app: Application, params: any) {
return app return app
} }
async function setResponseApp(ctx: any) { async function setResponseApp(ctx: UserCtx) {
const appId = ctx.body?.appId const appId = ctx.body?.appId
if (appId && (!ctx.params || !ctx.params.appId)) { if (appId && (!ctx.params || !ctx.params.appId)) {
ctx.params = { appId } ctx.params = { appId }
@ -28,14 +30,14 @@ async function setResponseApp(ctx: any) {
} }
} }
export async function search(ctx: any, next: any) { export async function search(ctx: UserCtx, next: Next) {
const { name } = ctx.request.body const { name } = ctx.request.body
const apps = await dbCore.getAllApps({ all: true }) const apps = await dbCore.getAllApps({ all: true })
ctx.body = stringSearch(apps, name) ctx.body = stringSearch(apps, name)
await next() await next()
} }
export async function create(ctx: any, next: any) { export async function create(ctx: UserCtx, next: Next) {
if (!ctx.request.body || !ctx.request.body.useTemplate) { if (!ctx.request.body || !ctx.request.body.useTemplate) {
ctx.request.body = { ctx.request.body = {
useTemplate: false, useTemplate: false,
@ -47,14 +49,14 @@ export async function create(ctx: any, next: any) {
await next() await next()
} }
export async function read(ctx: any, next: any) { export async function read(ctx: UserCtx, next: Next) {
await context.doInAppContext(ctx.params.appId, async () => { await context.doInAppContext(ctx.params.appId, async () => {
await setResponseApp(ctx) await setResponseApp(ctx)
await next() await next()
}) })
} }
export async function update(ctx: any, next: any) { export async function update(ctx: UserCtx, next: Next) {
ctx.request.body = await addRev(fixAppID(ctx.request.body, ctx.params)) ctx.request.body = await addRev(fixAppID(ctx.request.body, ctx.params))
await context.doInAppContext(ctx.params.appId, async () => { await context.doInAppContext(ctx.params.appId, async () => {
await controller.update(ctx) await controller.update(ctx)
@ -63,7 +65,7 @@ export async function update(ctx: any, next: any) {
}) })
} }
export async function destroy(ctx: any, next: any) { export async function destroy(ctx: UserCtx, next: Next) {
await context.doInAppContext(ctx.params.appId, async () => { await context.doInAppContext(ctx.params.appId, async () => {
// get the app before deleting it // get the app before deleting it
await setResponseApp(ctx) await setResponseApp(ctx)
@ -75,14 +77,14 @@ export async function destroy(ctx: any, next: any) {
}) })
} }
export async function unpublish(ctx: any, next: any) { export async function unpublish(ctx: UserCtx, next: Next) {
await context.doInAppContext(ctx.params.appId, async () => { await context.doInAppContext(ctx.params.appId, async () => {
await controller.unpublish(ctx) await controller.unpublish(ctx)
await next() await next()
}) })
} }
export async function publish(ctx: any, next: any) { export async function publish(ctx: UserCtx, next: Next) {
await context.doInAppContext(ctx.params.appId, async () => { await context.doInAppContext(ctx.params.appId, async () => {
await deployController.publishApp(ctx) await deployController.publishApp(ctx)
await next() await next()

View File

@ -1,14 +1,16 @@
import { search as stringSearch } from "./utils" import { search as stringSearch } from "./utils"
import * as queryController from "../query" import * as queryController from "../query"
import { UserCtx } from "@budibase/types"
import { Next } from "koa"
export async function search(ctx: any, next: any) { export async function search(ctx: UserCtx, next: Next) {
await queryController.fetch(ctx) await queryController.fetch(ctx)
const { name } = ctx.request.body const { name } = ctx.request.body
ctx.body = stringSearch(ctx.body, name) ctx.body = stringSearch(ctx.body, name)
await next() await next()
} }
export async function execute(ctx: any, next: any) { export async function execute(ctx: UserCtx, next: Next) {
// don't wrap this, already returns "data" // don't wrap this, already returns "data"
await queryController.executeV2(ctx) await queryController.executeV2(ctx)
await next() await next()

View File

@ -1,7 +1,8 @@
import * as rowController from "../row" import * as rowController from "../row"
import { addRev } from "./utils" import { addRev } from "./utils"
import { Row } from "@budibase/types" import { Row, UserCtx } from "@budibase/types"
import { convertBookmark } from "../../../utilities" import { convertBookmark } from "../../../utilities"
import { Next } from "koa"
// makes sure that the user doesn't need to pass in the type, tableId or _id params for // makes sure that the user doesn't need to pass in the type, tableId or _id params for
// the call to be correct // the call to be correct
@ -21,7 +22,7 @@ export function fixRow(row: Row, params: any) {
return row return row
} }
export async function search(ctx: any, next: any) { export async function search(ctx: UserCtx, next: Next) {
let { sort, paginate, bookmark, limit, query } = ctx.request.body let { sort, paginate, bookmark, limit, query } = ctx.request.body
// update the body to the correct format of the internal search // update the body to the correct format of the internal search
if (!sort) { if (!sort) {
@ -40,25 +41,25 @@ export async function search(ctx: any, next: any) {
await next() await next()
} }
export async function create(ctx: any, next: any) { export async function create(ctx: UserCtx, next: Next) {
ctx.request.body = fixRow(ctx.request.body, ctx.params) ctx.request.body = fixRow(ctx.request.body, ctx.params)
await rowController.save(ctx) await rowController.save(ctx)
await next() await next()
} }
export async function read(ctx: any, next: any) { export async function read(ctx: UserCtx, next: Next) {
await rowController.fetchEnrichedRow(ctx) await rowController.fetchEnrichedRow(ctx)
await next() await next()
} }
export async function update(ctx: any, next: any) { export async function update(ctx: UserCtx, next: Next) {
const { tableId } = ctx.params const { tableId } = ctx.params
ctx.request.body = await addRev(fixRow(ctx.request.body, ctx.params), tableId) ctx.request.body = await addRev(fixRow(ctx.request.body, ctx.params), tableId)
await rowController.save(ctx) await rowController.save(ctx)
await next() await next()
} }
export async function destroy(ctx: any, next: any) { export async function destroy(ctx: UserCtx, next: Next) {
const { tableId } = ctx.params const { tableId } = ctx.params
// set the body as expected, with the _id and _rev fields // set the body as expected, with the _id and _rev fields
ctx.request.body = await addRev( ctx.request.body = await addRev(

View File

@ -1,6 +1,7 @@
import { search as stringSearch, addRev } from "./utils" import { search as stringSearch, addRev } from "./utils"
import * as controller from "../table" import * as controller from "../table"
import { Table } from "@budibase/types" import { Table, UserCtx } from "@budibase/types"
import { Next } from "koa"
function fixTable(table: Table, params: any) { function fixTable(table: Table, params: any) {
if (!params || !table) { if (!params || !table) {
@ -15,24 +16,24 @@ function fixTable(table: Table, params: any) {
return table return table
} }
export async function search(ctx: any, next: any) { export async function search(ctx: UserCtx, next: Next) {
const { name } = ctx.request.body const { name } = ctx.request.body
await controller.fetch(ctx) await controller.fetch(ctx)
ctx.body = stringSearch(ctx.body, name) ctx.body = stringSearch(ctx.body, name)
await next() await next()
} }
export async function create(ctx: any, next: any) { export async function create(ctx: UserCtx, next: Next) {
await controller.save(ctx) await controller.save(ctx)
await next() await next()
} }
export async function read(ctx: any, next: any) { export async function read(ctx: UserCtx, next: Next) {
await controller.find(ctx) await controller.find(ctx)
await next() await next()
} }
export async function update(ctx: any, next: any) { export async function update(ctx: UserCtx, next: Next) {
ctx.request.body = await addRev( ctx.request.body = await addRev(
fixTable(ctx.request.body, ctx.params), fixTable(ctx.request.body, ctx.params),
ctx.params.tableId ctx.params.tableId
@ -41,7 +42,7 @@ export async function update(ctx: any, next: any) {
await next() await next()
} }
export async function destroy(ctx: any, next: any) { export async function destroy(ctx: UserCtx, next: Next) {
await controller.destroy(ctx) await controller.destroy(ctx)
ctx.body = ctx.table ctx.body = ctx.table
await next() await next()

View File

@ -7,16 +7,32 @@ import {
import { publicApiUserFix } from "../../../utilities/users" import { publicApiUserFix } from "../../../utilities/users"
import { db as dbCore } from "@budibase/backend-core" import { db as dbCore } from "@budibase/backend-core"
import { search as stringSearch } from "./utils" import { search as stringSearch } from "./utils"
import { BBContext, User } from "@budibase/types" import { UserCtx, User } from "@budibase/types"
import { Next } from "koa"
function isLoggedInUser(ctx: BBContext, user: User) { function removeRoles(ctx: UserCtx, oldUser?: User) {
const user = ctx.request.body
if (user.builder) {
user.builder = oldUser?.builder || undefined
}
if (user.admin) {
user.admin = oldUser?.admin || undefined
}
if (user.roles) {
user.roles = oldUser?.roles || {}
}
ctx.request.body = user
return ctx
}
function isLoggedInUser(ctx: UserCtx, user: User) {
const loggedInId = ctx.user?._id const loggedInId = ctx.user?._id
const globalUserId = dbCore.getGlobalIDFromUserMetadataID(loggedInId!) const globalUserId = dbCore.getGlobalIDFromUserMetadataID(loggedInId!)
// check both just incase // check both just incase
return globalUserId === user._id || loggedInId === user._id return globalUserId === user._id || loggedInId === user._id
} }
function getUser(ctx: BBContext, userId?: string) { function getUser(ctx: UserCtx, userId?: string) {
if (userId) { if (userId) {
ctx.params = { userId } ctx.params = { userId }
} else if (!ctx.params?.userId) { } else if (!ctx.params?.userId) {
@ -25,42 +41,38 @@ function getUser(ctx: BBContext, userId?: string) {
return readGlobalUser(ctx) return readGlobalUser(ctx)
} }
export async function search(ctx: BBContext, next: any) { export async function search(ctx: UserCtx, next: Next) {
const { name } = ctx.request.body const { name } = ctx.request.body
const users = await allGlobalUsers(ctx) const users = await allGlobalUsers(ctx)
ctx.body = stringSearch(users, name, "email") ctx.body = stringSearch(users, name, "email")
await next() await next()
} }
export async function create(ctx: BBContext, next: any) { export async function create(ctx: UserCtx, next: Next) {
const response = await saveGlobalUser(publicApiUserFix(ctx)) ctx = publicApiUserFix(removeRoles(ctx))
const response = await saveGlobalUser(ctx)
ctx.body = await getUser(ctx, response._id) ctx.body = await getUser(ctx, response._id)
await next() await next()
} }
export async function read(ctx: BBContext, next: any) { export async function read(ctx: UserCtx, next: Next) {
ctx.body = await readGlobalUser(ctx) ctx.body = await readGlobalUser(ctx)
await next() await next()
} }
export async function update(ctx: BBContext, next: any) { export async function update(ctx: UserCtx, next: Next) {
const user = await readGlobalUser(ctx) const user = await readGlobalUser(ctx)
ctx.request.body = { ctx.request.body = {
...ctx.request.body, ...ctx.request.body,
_rev: user._rev, _rev: user._rev,
} }
// disallow updating your own role - always overwrite with DB roles ctx = publicApiUserFix(removeRoles(ctx, user))
if (isLoggedInUser(ctx, user)) { const response = await saveGlobalUser(ctx)
ctx.request.body.builder = user.builder
ctx.request.body.admin = user.admin
ctx.request.body.roles = user.roles
}
const response = await saveGlobalUser(publicApiUserFix(ctx))
ctx.body = await getUser(ctx, response._id) ctx.body = await getUser(ctx, response._id)
await next() await next()
} }
export async function destroy(ctx: BBContext, next: any) { export async function destroy(ctx: UserCtx, next: Next) {
const user = await getUser(ctx) const user = await getUser(ctx)
// disallow deleting yourself // disallow deleting yourself
if (isLoggedInUser(ctx, user)) { if (isLoggedInUser(ctx, user)) {

View File

@ -1,9 +1,9 @@
import { InternalTables } from "../db/utils" import { InternalTables } from "../db/utils"
import { getGlobalUser } from "./global" import { getGlobalUser } from "./global"
import { context, db as dbCore, roles } from "@budibase/backend-core" import { context, roles } from "@budibase/backend-core"
import { BBContext } from "@budibase/types" import { UserCtx } from "@budibase/types"
export async function getFullUser(ctx: BBContext, userId: string) { export async function getFullUser(ctx: UserCtx, userId: string) {
const global = await getGlobalUser(userId) const global = await getGlobalUser(userId)
let metadata: any = {} let metadata: any = {}
@ -29,21 +29,12 @@ export async function getFullUser(ctx: BBContext, userId: string) {
} }
} }
export function publicApiUserFix(ctx: BBContext) { export function publicApiUserFix(ctx: UserCtx) {
if (!ctx.request.body) { if (!ctx.request.body) {
return ctx return ctx
} }
if (!ctx.request.body._id && ctx.params.userId) { if (!ctx.request.body._id && ctx.params.userId) {
ctx.request.body._id = ctx.params.userId ctx.request.body._id = ctx.params.userId
} }
if (!ctx.request.body.roles) {
ctx.request.body.roles = {}
} else {
const newRoles: { [key: string]: any } = {}
for (let [appId, role] of Object.entries(ctx.request.body.roles)) {
newRoles[dbCore.getProdAppID(appId)] = role
}
ctx.request.body.roles = newRoles
}
return ctx return ctx
} }