Updating permissions to allow roles other than builder/admin to use apps properly.

packages/auth/src/security/permissions.js

@@ -17,7 +17,6 @@ const PermissionTypes = {
   BUILDER: "builder",
   VIEW: "view",
   QUERY: "query",
-  APP: "app",
 }
 
 function Permission(type, level) {
@@ -87,7 +86,6 @@ const BUILTIN_PERMISSIONS = {
       new Permission(PermissionTypes.QUERY, PermissionLevels.READ),
       new Permission(PermissionTypes.TABLE, PermissionLevels.READ),
       new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
-      new Permission(PermissionTypes.APP, PermissionLevels.READ),
     ],
   },
   WRITE: {
@@ -120,7 +118,6 @@ const BUILTIN_PERMISSIONS = {
       new Permission(PermissionTypes.VIEW, PermissionLevels.ADMIN),
       new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),
       new Permission(PermissionTypes.QUERY, PermissionLevels.ADMIN),
-      new Permission(PermissionTypes.APP, PermissionLevels.ADMIN),
     ],
   },
 }

packages/server/src/api/routes/application.js

@@ -1,16 +1,15 @@
 const Router = require("@koa/router")
 const controller = require("../controllers/application")
 const authorized = require("../../middleware/authorized")
-const { BUILDER, PermissionTypes, PermissionLevels } = require("@budibase/auth/permissions")
+const { BUILDER } = require("@budibase/auth/permissions")
 
 const router = Router()
 
 router
   .get("/api/applications/:appId/definition", controller.fetchAppDefinition)
-  .get("/api/applications", authorized(PermissionTypes.APP, PermissionLevels.READ), controller.fetch)
+  .get("/api/applications", controller.fetch)
   .get(
     "/api/applications/:appId/appPackage",
-    authorized(PermissionTypes.APP, PermissionLevels.READ),
     controller.fetchAppPackage
   )
   .put("/api/applications/:appId", authorized(BUILDER), controller.update)

packages/server/src/middleware/currentapp.js

@@ -1,7 +1,7 @@
 const { getAppId, setCookie, getCookie } = require("@budibase/auth").utils
 const { Cookies } = require("@budibase/auth").constants
 const { getRole } = require("@budibase/auth/roles")
-const { getGlobalUsers } = require("../utilities/workerRequests")
+const { getGlobalUsers, getGlobalSelf } = require("../utilities/workerRequests")
 const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
 const { generateUserMetadataID } = require("../db/utils")
 
@@ -25,10 +25,11 @@ module.exports = async (ctx, next) => {
     requestAppId != null &&
     (appCookie == null ||
       requestAppId !== appCookie.appId ||
-      appCookie.roleId === BUILTIN_ROLE_IDS.PUBLIC)
+      appCookie.roleId === BUILTIN_ROLE_IDS.PUBLIC ||
+      !appCookie.roleId)
   ) {
     // Different App ID means cookie needs reset, or if the same public user has logged in
-    const globalUser = await getGlobalUsers(ctx, requestAppId, ctx.user._id)
+    const globalUser = await getGlobalSelf(ctx, requestAppId)
     updateCookie = true
     appId = requestAppId
     // retrieving global user gets the right role
@@ -51,6 +52,7 @@ module.exports = async (ctx, next) => {
       // override userID with metadata one
       _id: userId,
       userId,
+      roleId,
       role: await getRole(appId, roleId),
     }
   }

packages/server/src/utilities/workerRequests.js

@@ -119,16 +119,19 @@ exports.getGlobalUsers = async (ctx, appId = null, globalId = null) => {
   return users
 }
 
-exports.getGlobalSelf = async ctx => {
+exports.getGlobalSelf = async (ctx, appId = null) => {
   const endpoint = `/api/admin/users/self`
   const response = await fetch(
     checkSlashesInUrl(env.WORKER_URL + endpoint),
     request(ctx, { method: "GET" })
   )
-  const json = await response.json()
+  let json = await response.json()
   if (json.status !== 200 && response.status !== 200) {
     ctx.throw(400, "Unable to get self globally.")
   }
+  if (appId) {
+    json = getAppRole(appId, json)
+  }
   return json
 }