From aab11fa9329f012e08fa91e64790c66ab5ed06c3 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Thu, 27 May 2021 14:53:41 +0100 Subject: [PATCH] Updating permissions to allow roles other than builder/admin to use apps properly. --- packages/auth/src/security/permissions.js | 3 --- packages/server/src/api/routes/application.js | 5 ++--- packages/server/src/middleware/currentapp.js | 8 +++++--- packages/server/src/utilities/workerRequests.js | 7 +++++-- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/packages/auth/src/security/permissions.js b/packages/auth/src/security/permissions.js index 3b03ccb8ee..03fa5fa562 100644 --- a/packages/auth/src/security/permissions.js +++ b/packages/auth/src/security/permissions.js @@ -17,7 +17,6 @@ const PermissionTypes = { BUILDER: "builder", VIEW: "view", QUERY: "query", - APP: "app", } function Permission(type, level) { @@ -87,7 +86,6 @@ const BUILTIN_PERMISSIONS = { new Permission(PermissionTypes.QUERY, PermissionLevels.READ), new Permission(PermissionTypes.TABLE, PermissionLevels.READ), new Permission(PermissionTypes.VIEW, PermissionLevels.READ), - new Permission(PermissionTypes.APP, PermissionLevels.READ), ], }, WRITE: { @@ -120,7 +118,6 @@ const BUILTIN_PERMISSIONS = { new Permission(PermissionTypes.VIEW, PermissionLevels.ADMIN), new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ), new Permission(PermissionTypes.QUERY, PermissionLevels.ADMIN), - new Permission(PermissionTypes.APP, PermissionLevels.ADMIN), ], }, } diff --git a/packages/server/src/api/routes/application.js b/packages/server/src/api/routes/application.js index 51ac4335fd..22cb617cfa 100644 --- a/packages/server/src/api/routes/application.js +++ b/packages/server/src/api/routes/application.js @@ -1,16 +1,15 @@ const Router = require("@koa/router") const controller = require("../controllers/application") const authorized = require("../../middleware/authorized") -const { BUILDER, PermissionTypes, PermissionLevels } = require("@budibase/auth/permissions") +const { BUILDER } = require("@budibase/auth/permissions") const router = Router() router .get("/api/applications/:appId/definition", controller.fetchAppDefinition) - .get("/api/applications", authorized(PermissionTypes.APP, PermissionLevels.READ), controller.fetch) + .get("/api/applications", controller.fetch) .get( "/api/applications/:appId/appPackage", - authorized(PermissionTypes.APP, PermissionLevels.READ), controller.fetchAppPackage ) .put("/api/applications/:appId", authorized(BUILDER), controller.update) diff --git a/packages/server/src/middleware/currentapp.js b/packages/server/src/middleware/currentapp.js index f808403bac..d3c72fe83a 100644 --- a/packages/server/src/middleware/currentapp.js +++ b/packages/server/src/middleware/currentapp.js @@ -1,7 +1,7 @@ const { getAppId, setCookie, getCookie } = require("@budibase/auth").utils const { Cookies } = require("@budibase/auth").constants const { getRole } = require("@budibase/auth/roles") -const { getGlobalUsers } = require("../utilities/workerRequests") +const { getGlobalUsers, getGlobalSelf } = require("../utilities/workerRequests") const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles") const { generateUserMetadataID } = require("../db/utils") @@ -25,10 +25,11 @@ module.exports = async (ctx, next) => { requestAppId != null && (appCookie == null || requestAppId !== appCookie.appId || - appCookie.roleId === BUILTIN_ROLE_IDS.PUBLIC) + appCookie.roleId === BUILTIN_ROLE_IDS.PUBLIC || + !appCookie.roleId) ) { // Different App ID means cookie needs reset, or if the same public user has logged in - const globalUser = await getGlobalUsers(ctx, requestAppId, ctx.user._id) + const globalUser = await getGlobalSelf(ctx, requestAppId) updateCookie = true appId = requestAppId // retrieving global user gets the right role @@ -51,6 +52,7 @@ module.exports = async (ctx, next) => { // override userID with metadata one _id: userId, userId, + roleId, role: await getRole(appId, roleId), } } diff --git a/packages/server/src/utilities/workerRequests.js b/packages/server/src/utilities/workerRequests.js index 49e24e5d60..d111293256 100644 --- a/packages/server/src/utilities/workerRequests.js +++ b/packages/server/src/utilities/workerRequests.js @@ -119,16 +119,19 @@ exports.getGlobalUsers = async (ctx, appId = null, globalId = null) => { return users } -exports.getGlobalSelf = async ctx => { +exports.getGlobalSelf = async (ctx, appId = null) => { const endpoint = `/api/admin/users/self` const response = await fetch( checkSlashesInUrl(env.WORKER_URL + endpoint), request(ctx, { method: "GET" }) ) - const json = await response.json() + let json = await response.json() if (json.status !== 200 && response.status !== 200) { ctx.throw(400, "Unable to get self globally.") } + if (appId) { + json = getAppRole(appId, json) + } return json }