Updating permissions to allow roles other than builder/admin to use apps properly.

This commit is contained in:
mike12345567 2021-05-27 14:53:41 +01:00
parent c311bae7b9
commit bc6660fd0e
4 changed files with 12 additions and 11 deletions

View File

@ -17,7 +17,6 @@ const PermissionTypes = {
BUILDER: "builder", BUILDER: "builder",
VIEW: "view", VIEW: "view",
QUERY: "query", QUERY: "query",
APP: "app",
} }
function Permission(type, level) { function Permission(type, level) {
@ -87,7 +86,6 @@ const BUILTIN_PERMISSIONS = {
new Permission(PermissionTypes.QUERY, PermissionLevels.READ), new Permission(PermissionTypes.QUERY, PermissionLevels.READ),
new Permission(PermissionTypes.TABLE, PermissionLevels.READ), new Permission(PermissionTypes.TABLE, PermissionLevels.READ),
new Permission(PermissionTypes.VIEW, PermissionLevels.READ), new Permission(PermissionTypes.VIEW, PermissionLevels.READ),
new Permission(PermissionTypes.APP, PermissionLevels.READ),
], ],
}, },
WRITE: { WRITE: {
@ -120,7 +118,6 @@ const BUILTIN_PERMISSIONS = {
new Permission(PermissionTypes.VIEW, PermissionLevels.ADMIN), new Permission(PermissionTypes.VIEW, PermissionLevels.ADMIN),
new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ), new Permission(PermissionTypes.WEBHOOK, PermissionLevels.READ),
new Permission(PermissionTypes.QUERY, PermissionLevels.ADMIN), new Permission(PermissionTypes.QUERY, PermissionLevels.ADMIN),
new Permission(PermissionTypes.APP, PermissionLevels.ADMIN),
], ],
}, },
} }

View File

@ -1,16 +1,15 @@
const Router = require("@koa/router") const Router = require("@koa/router")
const controller = require("../controllers/application") const controller = require("../controllers/application")
const authorized = require("../../middleware/authorized") const authorized = require("../../middleware/authorized")
const { BUILDER, PermissionTypes, PermissionLevels } = require("@budibase/auth/permissions") const { BUILDER } = require("@budibase/auth/permissions")
const router = Router() const router = Router()
router router
.get("/api/applications/:appId/definition", controller.fetchAppDefinition) .get("/api/applications/:appId/definition", controller.fetchAppDefinition)
.get("/api/applications", authorized(PermissionTypes.APP, PermissionLevels.READ), controller.fetch) .get("/api/applications", controller.fetch)
.get( .get(
"/api/applications/:appId/appPackage", "/api/applications/:appId/appPackage",
authorized(PermissionTypes.APP, PermissionLevels.READ),
controller.fetchAppPackage controller.fetchAppPackage
) )
.put("/api/applications/:appId", authorized(BUILDER), controller.update) .put("/api/applications/:appId", authorized(BUILDER), controller.update)

View File

@ -1,7 +1,7 @@
const { getAppId, setCookie, getCookie } = require("@budibase/auth").utils const { getAppId, setCookie, getCookie } = require("@budibase/auth").utils
const { Cookies } = require("@budibase/auth").constants const { Cookies } = require("@budibase/auth").constants
const { getRole } = require("@budibase/auth/roles") const { getRole } = require("@budibase/auth/roles")
const { getGlobalUsers } = require("../utilities/workerRequests") const { getGlobalUsers, getGlobalSelf } = require("../utilities/workerRequests")
const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles") const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
const { generateUserMetadataID } = require("../db/utils") const { generateUserMetadataID } = require("../db/utils")
@ -25,10 +25,11 @@ module.exports = async (ctx, next) => {
requestAppId != null && requestAppId != null &&
(appCookie == null || (appCookie == null ||
requestAppId !== appCookie.appId || requestAppId !== appCookie.appId ||
appCookie.roleId === BUILTIN_ROLE_IDS.PUBLIC) appCookie.roleId === BUILTIN_ROLE_IDS.PUBLIC ||
!appCookie.roleId)
) { ) {
// Different App ID means cookie needs reset, or if the same public user has logged in // Different App ID means cookie needs reset, or if the same public user has logged in
const globalUser = await getGlobalUsers(ctx, requestAppId, ctx.user._id) const globalUser = await getGlobalSelf(ctx, requestAppId)
updateCookie = true updateCookie = true
appId = requestAppId appId = requestAppId
// retrieving global user gets the right role // retrieving global user gets the right role
@ -51,6 +52,7 @@ module.exports = async (ctx, next) => {
// override userID with metadata one // override userID with metadata one
_id: userId, _id: userId,
userId, userId,
roleId,
role: await getRole(appId, roleId), role: await getRole(appId, roleId),
} }
} }

View File

@ -119,16 +119,19 @@ exports.getGlobalUsers = async (ctx, appId = null, globalId = null) => {
return users return users
} }
exports.getGlobalSelf = async ctx => { exports.getGlobalSelf = async (ctx, appId = null) => {
const endpoint = `/api/admin/users/self` const endpoint = `/api/admin/users/self`
const response = await fetch( const response = await fetch(
checkSlashesInUrl(env.WORKER_URL + endpoint), checkSlashesInUrl(env.WORKER_URL + endpoint),
request(ctx, { method: "GET" }) request(ctx, { method: "GET" })
) )
const json = await response.json() let json = await response.json()
if (json.status !== 200 && response.status !== 200) { if (json.status !== 200 && response.status !== 200) {
ctx.throw(400, "Unable to get self globally.") ctx.throw(400, "Unable to get self globally.")
} }
if (appId) {
json = getAppRole(appId, json)
}
return json return json
} }