Merge pull request #13780 from Budibase/BUDI-8284/protect-writes-on-readonly-columns

Prevent write readonly view column
This commit is contained in:
Adria Navarro 2024-05-29 16:24:53 +02:00 committed by GitHub
commit bec60dd53b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 61 additions and 3 deletions

View File

@ -873,6 +873,27 @@ describe.each([
expect(row.one).toBeUndefined() expect(row.one).toBeUndefined()
expect(row.two).toEqual("bar") expect(row.two).toEqual("bar")
}) })
it("can't persist readonly columns", async () => {
mocks.licenses.useViewReadonlyColumns()
const view = await config.api.viewV2.create({
tableId: table._id!,
name: generator.guid(),
schema: {
one: { visible: true, readonly: true },
two: { visible: true },
},
})
const row = await config.api.row.save(view.id, {
tableId: table!._id,
_viewId: view.id,
one: "foo",
two: "bar",
})
expect(row.one).toBeUndefined()
expect(row.two).toEqual("bar")
})
}) })
describe("patch", () => { describe("patch", () => {
@ -893,6 +914,33 @@ describe.each([
expect(row.one).toEqual("foo") expect(row.one).toEqual("foo")
expect(row.two).toEqual("newBar") expect(row.two).toEqual("newBar")
}) })
it("can't update readonly columns", async () => {
mocks.licenses.useViewReadonlyColumns()
const view = await config.api.viewV2.create({
tableId: table._id!,
name: generator.guid(),
schema: {
one: { visible: true, readonly: true },
two: { visible: true },
},
})
const newRow = await config.api.row.save(table._id!, {
one: "foo",
two: "bar",
})
await config.api.row.patch(view.id, {
tableId: table._id!,
_id: newRow._id!,
_rev: newRow._rev!,
one: "newFoo",
two: "newBar",
})
const row = await config.api.row.get(table._id!, newRow._id!)
expect(row.one).toEqual("foo")
expect(row.two).toEqual("newBar")
})
}) })
describe("destroy", () => { describe("destroy", () => {

View File

@ -144,8 +144,12 @@ describe("trimViewRowInfo middleware", () => {
name: generator.guid(), name: generator.guid(),
tableId: table._id!, tableId: table._id!,
schema: { schema: {
name: {}, name: {
address: {}, visible: true,
},
address: {
visible: true,
},
}, },
}) })

View File

@ -104,7 +104,13 @@ export async function remove(viewId: string): Promise<ViewV2> {
export function allowedFields(view: View | ViewV2) { export function allowedFields(view: View | ViewV2) {
return [ return [
...Object.keys(view?.schema || {}), ...Object.keys(view?.schema || {}).filter(key => {
if (!isV2(view)) {
return true
}
const fieldSchema = view.schema![key]
return fieldSchema.visible && !fieldSchema.readonly
}),
...dbCore.CONSTANT_EXTERNAL_ROW_COLS, ...dbCore.CONSTANT_EXTERNAL_ROW_COLS,
...dbCore.CONSTANT_INTERNAL_ROW_COLS, ...dbCore.CONSTANT_INTERNAL_ROW_COLS,
] ]