Add new permission type for creators, update app creation endpoint to allow creators and assign access to new apps

2023-11-23 16:22:16 +00:00 · 2023-11-23 16:22:16 +00:00 · c2c0012013
parent 974b117500
commit c2c0012013
4 changed files with 24 additions and 6 deletions
--- a/packages/backend-core/src/security/permissions.ts
+++ b/packages/backend-core/src/security/permissions.ts
@ -160,4 +160,5 @@ export function isPermissionLevelHigherThanRead(level: PermissionLevel) {

 // utility as a lot of things need simply the builder permission
 export const BUILDER = PermissionType.BUILDER
+export const CREATOR = PermissionType.CREATOR
 export const GLOBAL_BUILDER = PermissionType.GLOBAL_BUILDER
--- a/packages/server/src/api/controllers/application.ts
+++ b/packages/server/src/api/controllers/application.ts
@ -51,6 +51,8 @@ import {
 import { BASE_LAYOUT_PROP_IDS } from "../../constants/layouts"
 import sdk from "../../sdk"
 import { builderSocket } from "../../websockets"
+import * as userSdk from "../../sdk/users"
+import { sdk as sharedCoreSDK } from "@budibase/shared-core"

 // utility function, need to do away with this
 async function getLayouts() {
@ -394,6 +396,13 @@ async function appPostCreate(ctx: UserCtx, app: App) {
      }
    }
  }
+
+  // If the user is a creator, we need to give them access to the new app
+  if (sharedCoreSDK.users.hasCreatorPermissions(ctx.user)) {
+    let user = await users.UserDB.getUser(ctx.user._id!)
+    user.roles[dbCore.getProdAppID(app.appId)] = roles.BUILTIN_ROLE_IDS.ADMIN
+    await users.UserDB.save(user)
+  }
 }

 export async function create(ctx: UserCtx) {
--- a/packages/server/src/api/routes/application.ts
+++ b/packages/server/src/api/routes/application.ts
@ -16,7 +16,7 @@ router
  )
  .post(
    "/api/applications",
-    authorized(permissions.GLOBAL_BUILDER),
+    authorized(permissions.CREATOR),
    applicationValidator(),
    controller.create
  )
--- a/packages/server/src/middleware/authorized.ts
+++ b/packages/server/src/middleware/authorized.ts
@ -5,7 +5,7 @@ import {
  roles,
  users,
 } from "@budibase/backend-core"
-import { PermissionLevel, PermissionType, Role, UserCtx } from "@budibase/types"
+import { PermissionLevel, PermissionType, UserCtx } from "@budibase/types"
 import builderMiddleware from "./builder"
 import { isWebhookEndpoint } from "./utils"
 import { paramResource } from "./resourceId"
@ -31,13 +31,20 @@ const checkAuthorized = async (
 ) => {
  const appId = context.getAppId()
  const isGlobalBuilderApi = permType === PermissionType.GLOBAL_BUILDER
+  const isCreatorApi = permType === PermissionType.CREATOR
  const isBuilderApi = permType === PermissionType.BUILDER
-  const globalBuilder = users.isGlobalBuilder(ctx.user)
-  let isBuilder = appId
+  const isGlobalBuilder = users.isGlobalBuilder(ctx.user)
+  const isCreator = users.isCreator(ctx.user)
+  const isBuilder = appId
    ? users.isBuilder(ctx.user, appId)
    : users.hasBuilderPermissions(ctx.user)
-  // check if this is a builder api and the user is not a builder
-  if ((isGlobalBuilderApi && !globalBuilder) || (isBuilderApi && !isBuilder)) {
+
+  // check api permission type against user
+  if (
+    (isGlobalBuilderApi && !isGlobalBuilder) ||
+    (isCreatorApi && !isCreator) ||
+    (isBuilderApi && !isBuilder)
+  ) {
    return ctx.throw(403, "Not Authorized")
  }

@ -148,6 +155,7 @@ const authorized =
    // to find API endpoints which are builder focused
    if (
      permType === PermissionType.BUILDER ||
+      permType === PermissionType.CREATOR ||
      permType === PermissionType.GLOBAL_BUILDER
    ) {
      await builderMiddleware(ctx)