Add new permission type for creators, update app creation endpoint to allow creators and assign access to new apps

packages/backend-core/src/security/permissions.ts

@@ -160,4 +160,5 @@ export function isPermissionLevelHigherThanRead(level: PermissionLevel) {
 
 // utility as a lot of things need simply the builder permission
 export const BUILDER = PermissionType.BUILDER
+export const CREATOR = PermissionType.CREATOR
 export const GLOBAL_BUILDER = PermissionType.GLOBAL_BUILDER

packages/server/src/api/controllers/application.ts

@@ -51,6 +51,8 @@ import {
 import { BASE_LAYOUT_PROP_IDS } from "../../constants/layouts"
 import sdk from "../../sdk"
 import { builderSocket } from "../../websockets"
+import * as userSdk from "../../sdk/users"
+import { sdk as sharedCoreSDK } from "@budibase/shared-core"
 
 // utility function, need to do away with this
 async function getLayouts() {
@@ -394,6 +396,13 @@ async function appPostCreate(ctx: UserCtx, app: App) {
       }
     }
   }
+
+  // If the user is a creator, we need to give them access to the new app
+  if (sharedCoreSDK.users.hasCreatorPermissions(ctx.user)) {
+    let user = await users.UserDB.getUser(ctx.user._id!)
+    user.roles[dbCore.getProdAppID(app.appId)] = roles.BUILTIN_ROLE_IDS.ADMIN
+    await users.UserDB.save(user)
+  }
 }
 
 export async function create(ctx: UserCtx) {

packages/server/src/api/routes/application.ts

@@ -16,7 +16,7 @@ router
   )
   .post(
     "/api/applications",
-    authorized(permissions.GLOBAL_BUILDER),
+    authorized(permissions.CREATOR),
     applicationValidator(),
     controller.create
   )

packages/server/src/middleware/authorized.ts

@@ -5,7 +5,7 @@ import {
   roles,
   users,
 } from "@budibase/backend-core"
-import { PermissionLevel, PermissionType, Role, UserCtx } from "@budibase/types"
+import { PermissionLevel, PermissionType, UserCtx } from "@budibase/types"
 import builderMiddleware from "./builder"
 import { isWebhookEndpoint } from "./utils"
 import { paramResource } from "./resourceId"
@@ -31,13 +31,20 @@ const checkAuthorized = async (
 ) => {
   const appId = context.getAppId()
   const isGlobalBuilderApi = permType === PermissionType.GLOBAL_BUILDER
+  const isCreatorApi = permType === PermissionType.CREATOR
   const isBuilderApi = permType === PermissionType.BUILDER
-  const globalBuilder = users.isGlobalBuilder(ctx.user)
+  const isGlobalBuilder = users.isGlobalBuilder(ctx.user)
-  let isBuilder = appId
+  const isCreator = users.isCreator(ctx.user)
+  const isBuilder = appId
     ? users.isBuilder(ctx.user, appId)
     : users.hasBuilderPermissions(ctx.user)
-  // check if this is a builder api and the user is not a builder
+
-  if ((isGlobalBuilderApi && !globalBuilder) || (isBuilderApi && !isBuilder)) {
+  // check api permission type against user
+  if (
+    (isGlobalBuilderApi && !isGlobalBuilder) ||
+    (isCreatorApi && !isCreator) ||
+    (isBuilderApi && !isBuilder)
+  ) {
     return ctx.throw(403, "Not Authorized")
   }
 
@@ -148,6 +155,7 @@ const authorized =
     // to find API endpoints which are builder focused
     if (
       permType === PermissionType.BUILDER ||
+      permType === PermissionType.CREATOR ||
       permType === PermissionType.GLOBAL_BUILDER
     ) {
       await builderMiddleware(ctx)