Properly supporting the new global builder permission type to deny access to app creation.

packages/server/src/middleware/authorized.ts

@@ -1,11 +1,11 @@
 import {
-  roles,
-  permissions,
   auth,
   context,
+  permissions,
+  roles,
   users,
 } from "@budibase/backend-core"
-import { Role, UserCtx, PermissionType, PermissionLevel } from "@budibase/types"
+import { PermissionLevel, PermissionType, Role, UserCtx } from "@budibase/types"
 import builderMiddleware from "./builder"
 import { isWebhookEndpoint } from "./utils"
 
@@ -28,15 +28,14 @@ const checkAuthorized = async (
   permLevel: PermissionLevel
 ) => {
   const appId = context.getAppId()
+  const isGlobalBuilderApi = permType === PermissionType.GLOBAL_BUILDER
+  const isBuilderApi = permType === PermissionType.BUILDER
+  const globalBuilder = users.isGlobalBuilder(ctx.user)
+  let isBuilder = appId
+    ? users.isBuilder(ctx.user, appId)
+    : users.hasBuilderPermissions(ctx.user)
   // check if this is a builder api and the user is not a builder
-  let isBuilder
+  if ((isGlobalBuilderApi && !globalBuilder) || (isBuilderApi && !isBuilder)) {
-  if (!appId) {
-    isBuilder = users.hasBuilderPermissions(ctx.user)
-  } else {
-    isBuilder = users.isBuilder(ctx.user, appId)
-  }
-  const isBuilderApi = permType === permissions.PermissionType.BUILDER
-  if (isBuilderApi && !isBuilder) {
     return ctx.throw(403, "Not Authorized")
   }
 
@@ -76,8 +75,8 @@ const checkAuthorizedResource = async (
 }
 
 export default (
-    permType: any,
+    permType: PermissionType,
-    permLevel: any = null,
+    permLevel?: PermissionLevel,
     opts = { schema: false }
   ) =>
   async (ctx: any, next: any) => {
@@ -95,12 +94,12 @@ export default (
     let resourceRoles: any = []
     let otherLevelRoles: any = []
     const otherLevel =
-      permLevel === permissions.PermissionLevel.READ
+      permLevel === PermissionLevel.READ
-        ? permissions.PermissionLevel.WRITE
+        ? PermissionLevel.WRITE
-        : permissions.PermissionLevel.READ
+        : PermissionLevel.READ
     const appId = context.getAppId()
     if (appId && hasResource(ctx)) {
-      resourceRoles = await roles.getRequiredResourceRole(permLevel, ctx)
+      resourceRoles = await roles.getRequiredResourceRole(permLevel!, ctx)
       if (opts && opts.schema) {
         otherLevelRoles = await roles.getRequiredResourceRole(otherLevel, ctx)
       }
@@ -123,15 +122,15 @@ export default (
     // check general builder stuff, this middleware is a good way
     // to find API endpoints which are builder focused
     if (
-      permType === permissions.PermissionType.BUILDER ||
+      permType === PermissionType.BUILDER ||
-      permType === permissions.PermissionType.GLOBAL_BUILDER
+      permType === PermissionType.GLOBAL_BUILDER
     ) {
       await builderMiddleware(ctx)
     }
 
     try {
       // check authorized
-      await checkAuthorized(ctx, resourceRoles, permType, permLevel)
+      await checkAuthorized(ctx, resourceRoles, permType, permLevel!)
     } catch (err) {
       // this is a schema, check if
       if (opts && opts.schema && permLevel) {

packages/types/src/sdk/koa.ts

@@ -38,6 +38,7 @@ export interface Ctx<RequestBody = any, ResponseBody = any> extends Context {
 export interface UserCtx<RequestBody = any, ResponseBody = any>
   extends Ctx<RequestBody, ResponseBody> {
   user: ContextUser
+  roleId?: string
 }
 
 /**