Merge pull request #4332 from Budibase/fix/various-user-fixes

Various fixes for RBAC and user administration
2022-02-07 10:44:08 +00:00 · 2022-02-07 10:44:08 +00:00 · ca209ad3ff
parent 2a5e169b7c 30b6c1f3ca
commit ca209ad3ff
4 changed files with 40 additions and 39 deletions
--- a/packages/backend-core/src/security/roles.js
+++ b/packages/backend-core/src/security/roles.js
@ -146,8 +146,9 @@ exports.getRole = async roleId => {
 * Simple function to get all the roles based on the top level user role ID.
 */
 async function getAllUserRoles(userRoleId) {
-  if (!userRoleId) {
-    return [BUILTIN_IDS.BASIC]
+  // admins have access to all roles
+  if (userRoleId === BUILTIN_IDS.ADMIN) {
+    return exports.getAllRoles()
  }
  let currentRole = await exports.getRole(userRoleId)
  let roles = currentRole ? [currentRole] : []
--- a/packages/backend-core/src/utils.js
+++ b/packages/backend-core/src/utils.js
@ -256,7 +256,7 @@ exports.saveUser = async (
 exports.platformLogout = async ({ ctx, userId, keepActiveSession }) => {
  if (!ctx) throw new Error("Koa context must be supplied to logout.")

-  const currentSession = this.getCookie(ctx, Cookies.Auth)
+  const currentSession = exports.getCookie(ctx, Cookies.Auth)
  let sessions = await getUserSessions(userId)

  if (keepActiveSession) {
@ -265,8 +265,8 @@ exports.platformLogout = async ({ ctx, userId, keepActiveSession }) => {
    )
  } else {
    // clear cookies
-    this.clearCookie(ctx, Cookies.Auth)
-    this.clearCookie(ctx, Cookies.CurrentApp)
+    exports.clearCookie(ctx, Cookies.Auth)
+    exports.clearCookie(ctx, Cookies.CurrentApp)
  }

  await invalidateSessions(
--- a/packages/server/src/api/controllers/static/index.js
+++ b/packages/server/src/api/controllers/static/index.js
@ -16,7 +16,7 @@ const { clientLibraryPath } = require("../../../utilities")
 const { upload } = require("../../../utilities/fileSystem")
 const { attachmentsRelativeURL } = require("../../../utilities")
 const { DocumentTypes } = require("../../../db/utils")
-const { getAppDB } = require("@budibase/backend-core/context")
+const { getAppDB, updateAppId } = require("@budibase/backend-core/context")
 const AWS = require("aws-sdk")
 const AWS_REGION = env.AWS_REGION ? env.AWS_REGION : "eu-west-1"

@ -49,11 +49,9 @@ async function getAppIdFromUrl(ctx) {
    a => a.url && a.url.toLowerCase() === possibleAppUrl
  )[0]

-  if (app && app.appId) {
-    return app.appId
-  } else {
-    return ctx.params.appId
-  }
+  const appId = app && app.appId ? app.appId : ctx.params.appId
+  updateAppId(appId)
+  return appId
 }

 exports.serveBuilder = async function (ctx) {
--- a/packages/server/src/api/controllers/user.js
+++ b/packages/server/src/api/controllers/user.js
@ -14,7 +14,7 @@ const {
  dbExists,
 } = require("@budibase/backend-core/db")
 const { UserStatus } = require("@budibase/backend-core/constants")
-const { getAppDB } = require("@budibase/backend-core/context")
+const { getAppDB, doInAppContext } = require("@budibase/backend-core/context")

 async function rawMetadata() {
  const db = getAppDB()
@ -105,34 +105,36 @@ exports.syncUser = async function (ctx) {
      if (!(await dbExists(appId))) {
        continue
      }
-      const db = getAppDB()
-      const metadataId = generateUserMetadataID(userId)
-      let metadata
-      try {
-        metadata = await db.get(metadataId)
-      } catch (err) {
-        if (deleting) {
-          continue
-        }
-        metadata = {
-          tableId: InternalTables.USER_METADATA,
-        }
-      }
-      // assign the roleId for the metadata doc
-      if (roleId) {
-        metadata.roleId = roleId
-      }
-      let combined = !deleting
-        ? combineMetadataAndUser(user, metadata)
-        : {
-            ...metadata,
-            status: UserStatus.INACTIVE,
-            metadata: BUILTIN_ROLE_IDS.PUBLIC,
+      await doInAppContext(appId, async () => {
+        const db = getAppDB()
+        const metadataId = generateUserMetadataID(userId)
+        let metadata
+        try {
+          metadata = await db.get(metadataId)
+        } catch (err) {
+          if (deleting) {
+            return
          }
-      // if its null then there was no updates required
-      if (combined) {
-        await db.put(combined)
-      }
+          metadata = {
+            tableId: InternalTables.USER_METADATA,
+          }
+        }
+        // assign the roleId for the metadata doc
+        if (roleId) {
+          metadata.roleId = roleId
+        }
+        let combined = !deleting
+          ? combineMetadataAndUser(user, metadata)
+          : {
+              ...metadata,
+              status: UserStatus.INACTIVE,
+              metadata: BUILTIN_ROLE_IDS.PUBLIC,
+            }
+        // if its null then there was no updates required
+        if (combined) {
+          await db.put(combined)
+        }
+      })
    }
  }
  ctx.body = {