MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Formatting and adding routing checks to push the user out of admin menus when they are not an admin.

This commit is contained in:
mike12345567 2021-05-21 17:12:25 +01:00
parent 3c650fad56
commit a39b633c90
9 changed files with 50 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
packages/builder/src/pages/builder/portal/manage/auth/_layout.svelte
View File

@ -1,5 +1,12 @@
<script> <script>
import { redirect } from "@roxi/routify"
import { Page } from "@budibase/bbui" import { Page } from "@budibase/bbui"
import { auth } from "../../../../../stores/portal"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../../portal")
}
</script> </script>
<Page> <Page>

9
packages/builder/src/pages/builder/portal/manage/email/_layout.svelte
View File

@ -1,5 +1,12 @@
<script> <script>
import { email } from "stores/portal" import { redirect } from "@roxi/routify"
import { auth, email } from "stores/portal"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../../portal")
}
email.templates.fetch() email.templates.fetch()
</script> </script>

8
packages/builder/src/pages/builder/portal/manage/users/[userId].svelte
View File

@ -129,10 +129,10 @@
<div class="field"> <div class="field">
<Label size="L">Administration access</Label> <Label size="L">Administration access</Label>
<Toggle <Toggle
text="" text=""
value={$userFetch?.data?.admin?.global} value={$userFetch?.data?.admin?.global}
on:change={toggleAdminAccess} on:change={toggleAdminAccess}
disabled={toggleDisabled} disabled={toggleDisabled}
/> />
</div> </div>
{/if} {/if}

7
packages/builder/src/pages/builder/portal/manage/users/_layout.svelte
View File

@ -1,5 +1,12 @@
<script> <script>
import { Page } from "@budibase/bbui" import { Page } from "@budibase/bbui"
import { auth } from "../../../../../stores/portal"
import { redirect } from "@roxi/routify"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../../portal")
}
</script> </script>
<Page> <Page>

2
packages/builder/src/pages/builder/portal/settings/index.svelte
View File

@ -1,4 +1,4 @@
<script> <script>
import { goto } from "@roxi/routify" import { goto } from "@roxi/routify"
$goto("./general") $goto("./organisation")
</script> </script>

8
packages/builder/src/pages/builder/portal/settings/organisation.svelte
View File

@ -11,10 +11,16 @@
Dropzone, Dropzone,
notifications, notifications,
} from "@budibase/bbui" } from "@budibase/bbui"
import { organisation } from "stores/portal" import { auth, organisation } from "stores/portal"
import { post } from "builderStore/api" import { post } from "builderStore/api"
import analytics from "analytics" import analytics from "analytics"
import { writable } from "svelte/store" import { writable } from "svelte/store"
import { redirect } from "@roxi/routify"
// only admins allowed here
if (!$auth.isAdmin) {
$redirect("../../portal")
}
const values = writable({ const values = writable({
analytics: !analytics.disabled(), analytics: !analytics.disabled(),

11
packages/builder/src/stores/portal/auth.js
View File

@ -5,19 +5,27 @@ export function createAuthStore() {
const user = writable(null) const user = writable(null)
const store = derived(user, $user => { const store = derived(user, $user => {
let initials = null let initials = null
let isAdmin = false
let isBuilder = false
if ($user) { if ($user) {
if ($user.firstName) { if ($user.firstName) {
initials = $user.firstName[0] initials = $user.firstName[0]
if ($user.lastName) { if ($user.lastName) {
initials += $user.lastName[0] initials += $user.lastName[0]
} }
} else { } else if ($user.email) {
initials = $user.email[0] initials = $user.email[0]
} else {
initials = "Unknown"
} }
isAdmin = !!$user.admin?.global
isBuilder = !!$user.builder?.global
} }
return { return {
user: $user, user: $user,
initials, initials,
isAdmin,
isBuilder,
} }
}) })
@ -29,6 +37,7 @@ export function createAuthStore() {
user.set(null) user.set(null)
} else { } else {
const json = await response.json() const json = await response.json()
console.log(json)
user.set(json) user.set(json)
} }
}, },

3
packages/worker/src/api/routes/admin/users.js
View File

@ -56,7 +56,6 @@ router
) )
.get("/api/admin/users", adminOnly, controller.fetch) .get("/api/admin/users", adminOnly, controller.fetch)
.delete("/api/admin/users/:id", adminOnly, controller.destroy) .delete("/api/admin/users/:id", adminOnly, controller.destroy)
.get("/api/admin/users/:id", adminOnly, controller.find)
.get("/api/admin/roles/:appId") .get("/api/admin/roles/:appId")
.post( .post(
"/api/admin/users/invite", "/api/admin/users/invite",
@ -77,5 +76,7 @@ router
) )
.post("/api/admin/users/init", controller.adminUser) .post("/api/admin/users/init", controller.adminUser)
.get("/api/admin/users/self", controller.getSelf) .get("/api/admin/users/self", controller.getSelf)
// admin endpoint but needs to come at end (blocks other endpoints otherwise)
.get("/api/admin/users/:id", adminOnly, controller.find)
module.exports = router module.exports = router

5
packages/worker/src/middleware/adminOnly.js
View File

@ -1,5 +1,8 @@
module.exports = async (ctx, next) => { module.exports = async (ctx, next) => {
if (!ctx.internal && (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) { if (
!ctx.internal &&
(!ctx.user || !ctx.user.admin || !ctx.user.admin.global)
) {
ctx.throw(403, "Admin user only endpoint.") ctx.throw(403, "Admin user only endpoint.")
} }
return next() return next()