From bc68b165267deb7dea7798c115e2c5764fa31ee9 Mon Sep 17 00:00:00 2001
From: Mel O'Hagan <mel@budibase.com>
Date: Mon, 28 Nov 2022 16:01:27 +0000
Subject: [PATCH] Allow developers to manage user access

---
 packages/worker/src/api/routes/global/users.js | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/packages/worker/src/api/routes/global/users.js b/packages/worker/src/api/routes/global/users.js
index 2d9b1d9ac9..c9acaaf068 100644
--- a/packages/worker/src/api/routes/global/users.js
+++ b/packages/worker/src/api/routes/global/users.js
@@ -1,7 +1,6 @@
 const Router = require("@koa/router")
 const controller = require("../../controllers/global/users")
 const { joiValidator } = require("@budibase/backend-core/auth")
-const { adminOnly } = require("@budibase/backend-core/auth")
 const Joi = require("joi")
 const cloudRestricted = require("../../../middleware/cloudRestricted")
 const { users } = require("../validation")
@@ -51,31 +50,31 @@ function buildInviteAcceptValidation() {
 router
   .post(
     "/api/global/users",
-    adminOnly,
+    builderOrAdmin,
     users.buildUserSaveValidation(),
     controller.save
   )
   .post(
     "/api/global/users/bulk",
-    adminOnly,
+    builderOrAdmin,
     users.buildUserBulkUserValidation(),
     controller.bulkUpdate
   )
 
   .get("/api/global/users", builderOrAdmin, controller.fetch)
   .post("/api/global/users/search", builderOrAdmin, controller.search)
-  .delete("/api/global/users/:id", adminOnly, controller.destroy)
+  .delete("/api/global/users/:id", builderOrAdmin, controller.destroy)
   .get("/api/global/users/count/:appId", builderOrAdmin, controller.countByApp)
   .get("/api/global/roles/:appId")
   .post(
     "/api/global/users/invite",
-    adminOnly,
+    builderOrAdmin,
     buildInviteValidation(),
     controller.invite
   )
   .post(
     "/api/global/users/multi/invite",
-    adminOnly,
+    builderOrAdmin,
     buildInviteMultipleValidation(),
     controller.inviteMultiple
   )