diff --git a/packages/server/src/middleware/authorized.ts b/packages/server/src/middleware/authorized.ts index 767c3d95ef..915344f747 100644 --- a/packages/server/src/middleware/authorized.ts +++ b/packages/server/src/middleware/authorized.ts @@ -1,11 +1,11 @@ import { - roles, - permissions, auth, context, + permissions, + roles, users, } from "@budibase/backend-core" -import { Role, UserCtx, PermissionType, PermissionLevel } from "@budibase/types" +import { PermissionLevel, PermissionType, Role, UserCtx } from "@budibase/types" import builderMiddleware from "./builder" import { isWebhookEndpoint } from "./utils" @@ -28,15 +28,14 @@ const checkAuthorized = async ( permLevel: PermissionLevel ) => { const appId = context.getAppId() + const isGlobalBuilderApi = permType === PermissionType.GLOBAL_BUILDER + const isBuilderApi = permType === PermissionType.BUILDER + const globalBuilder = users.isGlobalBuilder(ctx.user) + let isBuilder = appId + ? users.isBuilder(ctx.user, appId) + : users.hasBuilderPermissions(ctx.user) // check if this is a builder api and the user is not a builder - let isBuilder - if (!appId) { - isBuilder = users.hasBuilderPermissions(ctx.user) - } else { - isBuilder = users.isBuilder(ctx.user, appId) - } - const isBuilderApi = permType === permissions.PermissionType.BUILDER - if (isBuilderApi && !isBuilder) { + if ((isGlobalBuilderApi && !globalBuilder) || (isBuilderApi && !isBuilder)) { return ctx.throw(403, "Not Authorized") } @@ -76,8 +75,8 @@ const checkAuthorizedResource = async ( } export default ( - permType: any, - permLevel: any = null, + permType: PermissionType, + permLevel?: PermissionLevel, opts = { schema: false } ) => async (ctx: any, next: any) => { @@ -95,12 +94,12 @@ export default ( let resourceRoles: any = [] let otherLevelRoles: any = [] const otherLevel = - permLevel === permissions.PermissionLevel.READ - ? permissions.PermissionLevel.WRITE - : permissions.PermissionLevel.READ + permLevel === PermissionLevel.READ + ? PermissionLevel.WRITE + : PermissionLevel.READ const appId = context.getAppId() if (appId && hasResource(ctx)) { - resourceRoles = await roles.getRequiredResourceRole(permLevel, ctx) + resourceRoles = await roles.getRequiredResourceRole(permLevel!, ctx) if (opts && opts.schema) { otherLevelRoles = await roles.getRequiredResourceRole(otherLevel, ctx) } @@ -123,15 +122,15 @@ export default ( // check general builder stuff, this middleware is a good way // to find API endpoints which are builder focused if ( - permType === permissions.PermissionType.BUILDER || - permType === permissions.PermissionType.GLOBAL_BUILDER + permType === PermissionType.BUILDER || + permType === PermissionType.GLOBAL_BUILDER ) { await builderMiddleware(ctx) } try { // check authorized - await checkAuthorized(ctx, resourceRoles, permType, permLevel) + await checkAuthorized(ctx, resourceRoles, permType, permLevel!) } catch (err) { // this is a schema, check if if (opts && opts.schema && permLevel) { diff --git a/packages/types/src/sdk/koa.ts b/packages/types/src/sdk/koa.ts index f824b73458..861f5e9329 100644 --- a/packages/types/src/sdk/koa.ts +++ b/packages/types/src/sdk/koa.ts @@ -38,6 +38,7 @@ export interface Ctx extends Context { export interface UserCtx extends Ctx { user: ContextUser + roleId?: string } /**