From b461025639bb96867e681cf906122de0d474c88d Mon Sep 17 00:00:00 2001
From: Adria Navarro <adria@budibase.com>
Date: Mon, 26 Aug 2024 12:57:10 +0200
Subject: [PATCH] Check views

---
 .../src/api/routes/tests/rowAction.spec.ts       | 16 ++++++++++++----
 packages/server/src/sdk/app/rowActions.ts        |  9 +++++++++
 .../server/src/tests/utilities/structures.ts     | 12 ++++++++++++
 3 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/packages/server/src/api/routes/tests/rowAction.spec.ts b/packages/server/src/api/routes/tests/rowAction.spec.ts
index e43220fc98..06acc42f22 100644
--- a/packages/server/src/api/routes/tests/rowAction.spec.ts
+++ b/packages/server/src/api/routes/tests/rowAction.spec.ts
@@ -514,8 +514,12 @@ describe("/rowsActions", () => {
         2
       )
 
-      const viewId1 = generator.guid()
-      const viewId2 = generator.guid()
+      const { id: viewId1 } = await config.api.viewV2.create(
+        setup.structures.viewV2.createRequest(tableId)
+      )
+      const { id: viewId2 } = await config.api.viewV2.create(
+        setup.structures.viewV2.createRequest(tableId)
+      )
 
       await config.api.rowAction.setViewPermission(
         tableId,
@@ -584,8 +588,12 @@ describe("/rowsActions", () => {
 
       const [actionId] = _.sampleSize(Object.keys(persisted.actions), 1)
 
-      const viewId1 = generator.guid()
-      const viewId2 = generator.guid()
+      const { id: viewId1 } = await config.api.viewV2.create(
+        setup.structures.viewV2.createRequest(tableId)
+      )
+      const { id: viewId2 } = await config.api.viewV2.create(
+        setup.structures.viewV2.createRequest(tableId)
+      )
 
       await config.api.rowAction.setViewPermission(tableId, viewId1, actionId, {
         status: 200,
diff --git a/packages/server/src/sdk/app/rowActions.ts b/packages/server/src/sdk/app/rowActions.ts
index 369327be86..768e450605 100644
--- a/packages/server/src/sdk/app/rowActions.ts
+++ b/packages/server/src/sdk/app/rowActions.ts
@@ -141,11 +141,19 @@ export async function update(
   })
 }
 
+async function guardView(tableId: string, viewId: string) {
+  const view = await sdk.views.get(viewId)
+  if (!view || view.tableId !== tableId) {
+    throw new HTTPError(`View '${viewId}' not found in '${tableId}'`, 400)
+  }
+}
+
 export async function setViewPermission(
   tableId: string,
   rowActionId: string,
   viewId: string
 ) {
+  await guardView(tableId, viewId)
   return await updateDoc(tableId, rowActionId, async actionsDoc => {
     actionsDoc.actions[rowActionId].permissions.views[viewId] = {
       runAllowed: true,
@@ -159,6 +167,7 @@ export async function unsetViewPermission(
   rowActionId: string,
   viewId: string
 ) {
+  await guardView(tableId, viewId)
   return await updateDoc(tableId, rowActionId, async actionsDoc => {
     delete actionsDoc.actions[rowActionId].permissions.views[viewId]
     return actionsDoc
diff --git a/packages/server/src/tests/utilities/structures.ts b/packages/server/src/tests/utilities/structures.ts
index 8d64734ee3..2e501932b8 100644
--- a/packages/server/src/tests/utilities/structures.ts
+++ b/packages/server/src/tests/utilities/structures.ts
@@ -30,6 +30,7 @@ import {
   BBReferenceFieldSubType,
   JsonFieldSubType,
   AutoFieldSubType,
+  CreateViewRequest,
 } from "@budibase/types"
 import { LoopInput } from "../../definitions/automations"
 import { merge } from "lodash"
@@ -145,6 +146,17 @@ export function view(tableId: string) {
   }
 }
 
+function viewV2CreateRequest(tableId: string): CreateViewRequest {
+  return {
+    tableId,
+    name: generator.guid(),
+  }
+}
+
+export const viewV2 = {
+  createRequest: viewV2CreateRequest,
+}
+
 export function automationStep(
   actionDefinition = BUILTIN_ACTION_DEFINITIONS.CREATE_ROW
 ): AutomationStep {