Merge resource and authorized, allowing transformers

2023-08-24 09:36:44 +02:00 · 2023-08-24 09:36:44 +02:00 · b380207064
parent 9a15277fa1
commit b380207064
2 changed files with 24 additions and 5 deletions
--- a/packages/server/src/api/routes/row.ts
+++ b/packages/server/src/api/routes/row.ts
@ -270,8 +270,12 @@ router
 router.post(
  "/api/v2/views/:viewId/search",
-  paramResource("viewId", val => extractViewInfoFromID(val).tableId),
+  authorizedResource(
-  authorizedResource(PermissionType.TABLE, PermissionLevel.READ),
+    PermissionType.TABLE,
    PermissionLevel.READ,
    "viewId",
    val => extractViewInfoFromID(val).tableId
  ),
  rowController.views.searchView
 )
--- a/packages/server/src/middleware/authorized.ts
+++ b/packages/server/src/middleware/authorized.ts
@ -8,6 +8,7 @@ import {
 import { PermissionLevel, PermissionType, Role, UserCtx } from "@budibase/types"
 import builderMiddleware from "./builder"
 import { isWebhookEndpoint } from "./utils"
 import { paramResource } from "./resourceId"
 function hasResource(ctx: any) {
  return ctx.resourceId != null
@ -78,7 +79,8 @@ const authorized =
  (
    permType: PermissionType,
    permLevel?: PermissionLevel,
-    opts = { schema: false }
+    opts = { schema: false },
    resourceId?: { path: string; transformer?: (val: string) => string }
  ) =>
  async (ctx: any, next: any) => {
    // webhooks don't need authentication, each webhook unique
@ -99,6 +101,15 @@ const authorized =
        ? PermissionLevel.WRITE
        : PermissionLevel.READ
    const appId = context.getAppId()
    if (resourceId?.path) {
      // Reusing the existing middleware to extract the value
      paramResource(resourceId.path)(ctx, () => {})
      if (resourceId.transformer) {
        ctx.resourceId = resourceId.transformer(ctx.resourceId)
      }
    }
    if (appId && hasResource(ctx)) {
      resourceRoles = await roles.getRequiredResourceRole(permLevel!, ctx)
      if (opts && opts.schema) {
@ -153,5 +164,9 @@ export default (
 export const authorizedResource = (
  permType: PermissionType,
-  permLevel?: PermissionLevel
+  permLevel: PermissionLevel,
-) => authorized(permType, permLevel)
+  path: string,
  transformer?: (val: string) => string
 ) => {
  return authorized(permType, permLevel, undefined, { path, transformer })
 }