From bfa2b491f349030c42c436fcb55a99c23fffa7ef Mon Sep 17 00:00:00 2001
From: Adria Navarro <adria@budibase.com>
Date: Thu, 24 Aug 2023 10:22:08 +0200
Subject: [PATCH] Allow view permission type

---
 packages/server/src/api/routes/row.ts        |  9 ++---
 packages/server/src/middleware/authorized.ts | 38 +++++++++++++++-----
 packages/types/src/sdk/permissions.ts        |  1 +
 3 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/packages/server/src/api/routes/row.ts b/packages/server/src/api/routes/row.ts
index 9f4beb8173..c29cb65eac 100644
--- a/packages/server/src/api/routes/row.ts
+++ b/packages/server/src/api/routes/row.ts
@@ -5,7 +5,7 @@ import { paramResource, paramSubResource } from "../../middleware/resourceId"
 import { permissions } from "@budibase/backend-core"
 import { internalSearchValidator } from "./utils/validators"
 import trimViewRowInfo from "../../middleware/trimViewRowInfo"
-import { extractViewInfoFromID } from "../../db/utils"
+
 const { PermissionType, PermissionLevel } = permissions
 
 const router: Router = new Router()
@@ -270,12 +270,7 @@ router
 
 router.post(
   "/api/v2/views/:viewId/search",
-  authorizedResource(
-    PermissionType.TABLE,
-    PermissionLevel.READ,
-    "viewId",
-    val => extractViewInfoFromID(val).tableId
-  ),
+  authorizedResource(PermissionType.VIEW, PermissionLevel.READ, "viewId"),
   rowController.views.searchView
 )
 
diff --git a/packages/server/src/middleware/authorized.ts b/packages/server/src/middleware/authorized.ts
index a754bcc1f0..3d4c44a108 100644
--- a/packages/server/src/middleware/authorized.ts
+++ b/packages/server/src/middleware/authorized.ts
@@ -6,9 +6,11 @@ import {
   users,
 } from "@budibase/backend-core"
 import { PermissionLevel, PermissionType, Role, UserCtx } from "@budibase/types"
+import { features } from "@budibase/pro"
 import builderMiddleware from "./builder"
 import { isWebhookEndpoint } from "./utils"
 import { paramResource } from "./resourceId"
+import { extractViewInfoFromID, isViewID } from "../db/utils"
 
 function hasResource(ctx: any) {
   return ctx.resourceId != null
@@ -75,12 +77,31 @@ const checkAuthorizedResource = async (
   }
 }
 
+const resourceIdTranformers: Partial<
+  Record<PermissionType, (ctx: UserCtx) => Promise<void>>
+> = {
+  [PermissionType.VIEW]: async ctx => {
+    const { resourceId } = ctx
+    if (!isViewID(resourceId)) {
+      ctx.throw(400, `"${resourceId}" is not a valid viewId`)
+    }
+
+    if (await features.isViewPermissionEnabled()) {
+      ctx.subResourceId = ctx.resourceId
+      ctx.resourceId = extractViewInfoFromID(resourceId).tableId
+    } else {
+      ctx.resourceId = extractViewInfoFromID(resourceId).tableId
+      delete ctx.subResourceId
+    }
+  },
+}
+
 const authorized =
   (
     permType: PermissionType,
     permLevel?: PermissionLevel,
     opts = { schema: false },
-    resourceId?: { path: string; transformer?: (val: string) => string }
+    resourcePath?: string
   ) =>
   async (ctx: any, next: any) => {
     // webhooks don't need authentication, each webhook unique
@@ -102,15 +123,15 @@ const authorized =
         : PermissionLevel.READ
     const appId = context.getAppId()
 
-    if (resourceId?.path) {
+    if (resourcePath) {
       // Reusing the existing middleware to extract the value
-      paramResource(resourceId.path)(ctx, () => {})
-      if (resourceId.transformer) {
-        ctx.resourceId = resourceId.transformer(ctx.resourceId)
-      }
+      paramResource(resourcePath)(ctx, () => {})
     }
 
     if (appId && hasResource(ctx)) {
+      if (resourceIdTranformers[permType]) {
+        await resourceIdTranformers[permType]!(ctx)
+      }
       resourceRoles = await roles.getRequiredResourceRole(permLevel!, ctx)
       if (opts && opts.schema) {
         otherLevelRoles = await roles.getRequiredResourceRole(otherLevel, ctx)
@@ -165,8 +186,7 @@ export default (
 export const authorizedResource = (
   permType: PermissionType,
   permLevel: PermissionLevel,
-  path: string,
-  transformer?: (val: string) => string
+  resourcePath: string
 ) => {
-  return authorized(permType, permLevel, undefined, { path, transformer })
+  return authorized(permType, permLevel, undefined, resourcePath)
 }
diff --git a/packages/types/src/sdk/permissions.ts b/packages/types/src/sdk/permissions.ts
index 9fe1970e44..a33d4985ee 100644
--- a/packages/types/src/sdk/permissions.ts
+++ b/packages/types/src/sdk/permissions.ts
@@ -15,4 +15,5 @@ export enum PermissionType {
   BUILDER = "builder",
   GLOBAL_BUILDER = "globalBuilder",
   QUERY = "query",
+  VIEW = "view",
 }