Merge branch 'master' into view-calculation-no-deletes

packages/backend-core/src/security/permissions.ts

@@ -65,7 +65,13 @@ export enum BuiltinPermissionID {
   POWER = "power",
 }
 
-export const BUILTIN_PERMISSIONS = {
+export const BUILTIN_PERMISSIONS: {
+  [key in keyof typeof BuiltinPermissionID]: {
+    _id: (typeof BuiltinPermissionID)[key]
+    name: string
+    permissions: Permission[]
+  }
+} = {
   PUBLIC: {
     _id: BuiltinPermissionID.PUBLIC,
     name: "Public",

packages/builder/src/components/backend/DataTable/modals/ManageAccessModal.svelte

@@ -94,7 +94,7 @@
   loadDependantInfo()
 </script>
 
-<ModalContent showCancelButton={false} confirmText="Done">
+<ModalContent showCancelButton={false} showConfirmButton={false}>
   <span slot="header">
     Manage Access
     {#if requiresPlanToModify}

packages/server/src/api/controllers/permission.ts

@@ -1,7 +1,6 @@
 import { permissions, roles, context } from "@budibase/backend-core"
 import {
   UserCtx,
-  Role,
   GetResourcePermsResponse,
   ResourcePermissionInfo,
   GetDependantResourcesResponse,
@@ -9,6 +8,7 @@ import {
   AddPermissionRequest,
   RemovePermissionRequest,
   RemovePermissionResponse,
+  FetchResourcePermissionInfoResponse,
 } from "@budibase/types"
 import {
   CURRENTLY_SUPPORTED_LEVELS,
@@ -28,10 +28,12 @@ export function fetchLevels(ctx: UserCtx) {
   ctx.body = SUPPORTED_LEVELS
 }
 
-export async function fetch(ctx: UserCtx) {
+export async function fetch(
+  ctx: UserCtx<void, FetchResourcePermissionInfoResponse>
+) {
   const db = context.getAppDB()
-  const dbRoles: Role[] = await sdk.permissions.getAllDBRoles(db)
-  let permissions: any = {}
+  const dbRoles = await sdk.permissions.getAllDBRoles(db)
+  let permissions: Record<string, Record<string, string>> = {}
   // create an object with structure role ID -> resource ID -> level
   for (let role of dbRoles) {
     if (!role.permissions) {
@@ -43,13 +45,13 @@ export async function fetch(ctx: UserCtx) {
     }
     for (let [resource, levelArr] of Object.entries(role.permissions)) {
       const levels: string[] = Array.isArray(levelArr) ? levelArr : [levelArr]
-      const perms: Record<string, string> = {}
+      const perms: Record<string, string> = permissions[resource] || {}
       levels.forEach(level => (perms[level] = roleId!))
       permissions[resource] = perms
     }
   }
   // apply the base permissions
-  const finalPermissions: Record<string, Record<string, string>> = {}
+  const finalPermissions: FetchResourcePermissionInfoResponse = {}
   for (let [resource, permission] of Object.entries(permissions)) {
     const basePerms = getBasePermissions(resource)
     finalPermissions[resource] = Object.assign(basePerms, permission)
@@ -92,18 +94,17 @@ export async function getDependantResources(
 
 export async function addPermission(ctx: UserCtx<void, AddPermissionResponse>) {
   const params: AddPermissionRequest = ctx.params
-  ctx.body = await sdk.permissions.updatePermissionOnRole(
-    params,
-    PermissionUpdateType.ADD
-  )
+  await sdk.permissions.updatePermissionOnRole(params, PermissionUpdateType.ADD)
+  ctx.status = 200
 }
 
 export async function removePermission(
   ctx: UserCtx<void, RemovePermissionResponse>
 ) {
   const params: RemovePermissionRequest = ctx.params
-  ctx.body = await sdk.permissions.updatePermissionOnRole(
+  await sdk.permissions.updatePermissionOnRole(
     params,
     PermissionUpdateType.REMOVE
   )
+  ctx.status = 200
 }

packages/server/src/api/routes/tests/permissions.spec.ts

@@ -1,5 +1,5 @@
 import { roles } from "@budibase/backend-core"
-import { Document, PermissionLevel, Row, Table, ViewV2 } from "@budibase/types"
+import { Document, PermissionLevel, Row } from "@budibase/types"
 import * as setup from "./utilities"
 import { generator, mocks } from "@budibase/backend-core/tests"
 
@@ -9,13 +9,11 @@ const { BUILTIN_ROLE_IDS } = roles
 const HIGHER_ROLE_ID = BUILTIN_ROLE_IDS.BASIC
 const STD_ROLE_ID = BUILTIN_ROLE_IDS.PUBLIC
 
+const DEFAULT_TABLE_ROLE_ID = BUILTIN_ROLE_IDS.ADMIN
+
 describe("/permission", () => {
   let request = setup.getRequest()
   let config = setup.getConfig()
-  let table: Table & { _id: string }
-  let perms: Document[]
-  let row: Row
-  let view: ViewV2
 
   afterAll(setup.afterAll)
 
@@ -25,18 +23,6 @@ describe("/permission", () => {
 
   beforeEach(async () => {
     mocks.licenses.useCloudFree()
-
-    table = (await config.createTable()) as typeof table
-    row = await config.createRow()
-    view = await config.api.viewV2.create({
-      tableId: table._id!,
-      name: generator.guid(),
-    })
-    perms = await config.api.permission.add({
-      roleId: STD_ROLE_ID,
-      resourceId: table._id,
-      level: PermissionLevel.READ,
-    })
   })
 
   describe("levels", () => {
@@ -54,137 +40,251 @@ describe("/permission", () => {
     })
   })
 
-  describe("add", () => {
-    it("should be able to add permission to a role for the table", async () => {
-      expect(perms.length).toEqual(1)
-      expect(perms[0]._id).toEqual(`${STD_ROLE_ID}`)
-    })
+  describe("table permissions", () => {
+    let tableId: string
 
-    it("should get the resource permissions", async () => {
-      const res = await request
-        .get(`/api/permission/${table._id}`)
-        .set(config.defaultHeaders())
-        .expect("Content-Type", /json/)
-        .expect(200)
-      expect(res.body).toEqual({
-        permissions: {
-          read: { permissionType: "EXPLICIT", role: STD_ROLE_ID },
-          write: { permissionType: "BASE", role: HIGHER_ROLE_ID },
-        },
-      })
-    })
-
-    it("should get resource permissions with multiple roles", async () => {
-      perms = await config.api.permission.add({
-        roleId: HIGHER_ROLE_ID,
-        resourceId: table._id,
-        level: PermissionLevel.WRITE,
-      })
-      const res = await config.api.permission.get(table._id)
-      expect(res).toEqual({
-        permissions: {
-          read: { permissionType: "EXPLICIT", role: STD_ROLE_ID },
-          write: { permissionType: "EXPLICIT", role: HIGHER_ROLE_ID },
-        },
-      })
-
-      const allRes = await request
-        .get(`/api/permission`)
-        .set(config.defaultHeaders())
-        .expect("Content-Type", /json/)
-        .expect(200)
-      expect(allRes.body[table._id]["read"]).toEqual(STD_ROLE_ID)
-      expect(allRes.body[table._id]["write"]).toEqual(HIGHER_ROLE_ID)
-    })
-  })
-
-  describe("remove", () => {
-    it("should be able to remove the permission", async () => {
-      const res = await config.api.permission.revoke({
-        roleId: STD_ROLE_ID,
-        resourceId: table._id,
-        level: PermissionLevel.READ,
-      })
-      expect(res[0]._id).toEqual(STD_ROLE_ID)
-      const permsRes = await config.api.permission.get(table._id)
-      expect(permsRes.permissions[STD_ROLE_ID]).toBeUndefined()
-    })
-  })
-
-  describe("check public user allowed", () => {
-    it("should be able to read the row", async () => {
-      // replicate changes before checking permissions
-      await config.publish()
-
-      const res = await request
-        .get(`/api/${table._id}/rows`)
-        .set(config.publicHeaders())
-        .expect("Content-Type", /json/)
-        .expect(200)
-      expect(res.body[0]._id).toEqual(row._id)
-    })
-
-    it("should be able to access the view data when the table is set to public and with no view permissions overrides", async () => {
-      // Make view inherit table permissions. Needed for backwards compatibility with existing views.
-      await config.api.permission.revoke({
-        roleId: STD_ROLE_ID,
-        resourceId: view.id,
-        level: PermissionLevel.READ,
-      })
-
-      // replicate changes before checking permissions
-      await config.publish()
-
-      const res = await config.api.viewV2.publicSearch(view.id)
-      expect(res.rows[0]._id).toEqual(row._id)
-    })
-
-    it("should not be able to access the view data when the table is not public and there are no view permissions overrides", async () => {
-      await config.api.permission.revoke({
-        roleId: STD_ROLE_ID,
-        resourceId: table._id,
-        level: PermissionLevel.READ,
-      })
-
-      // Make view inherit table permissions. Needed for backwards compatibility with existing views.
-      await config.api.permission.revoke({
-        roleId: STD_ROLE_ID,
-        resourceId: view.id,
-        level: PermissionLevel.READ,
-      })
-
-      // replicate changes before checking permissions
-      await config.publish()
-
-      await config.api.viewV2.publicSearch(view.id, undefined, { status: 401 })
-    })
-
-    it("should use the view permissions", async () => {
+    beforeEach(async () => {
+      const table = await config.createTable()
+      tableId = table._id!
       await config.api.permission.add({
         roleId: STD_ROLE_ID,
-        resourceId: view.id,
+        resourceId: tableId,
         level: PermissionLevel.READ,
       })
-      await config.api.permission.revoke({
-        roleId: STD_ROLE_ID,
-        resourceId: table._id,
-        level: PermissionLevel.READ,
-      })
-      // replicate changes before checking permissions
-      await config.publish()
-
-      const res = await config.api.viewV2.publicSearch(view.id)
-      expect(res.rows[0]._id).toEqual(row._id)
     })
 
-    it("shouldn't allow writing from a public user", async () => {
-      const res = await request
-        .post(`/api/${table._id}/rows`)
-        .send(basicRow(table._id))
-        .set(config.publicHeaders())
-        .expect("Content-Type", /json/)
-        .expect(401)
-      expect(res.status).toEqual(401)
+    it("tables should be defaulted to admin", async () => {
+      const table = await config.createTable()
+      const { permissions } = await config.api.permission.get(table._id!)
+      expect(permissions).toEqual({
+        read: {
+          permissionType: "EXPLICIT",
+          role: DEFAULT_TABLE_ROLE_ID,
+        },
+        write: {
+          permissionType: "EXPLICIT",
+          role: DEFAULT_TABLE_ROLE_ID,
+        },
+      })
+    })
+
+    describe("add", () => {
+      it("should be able to add permission to a role for the table", async () => {
+        const res = await request
+          .get(`/api/permission/${tableId}`)
+          .set(config.defaultHeaders())
+          .expect("Content-Type", /json/)
+          .expect(200)
+        expect(res.body).toEqual({
+          permissions: {
+            read: { permissionType: "EXPLICIT", role: STD_ROLE_ID },
+            write: { permissionType: "EXPLICIT", role: DEFAULT_TABLE_ROLE_ID },
+          },
+        })
+      })
+
+      it("should get resource permissions with multiple roles", async () => {
+        await config.api.permission.add({
+          roleId: HIGHER_ROLE_ID,
+          resourceId: tableId,
+          level: PermissionLevel.WRITE,
+        })
+        const res = await config.api.permission.get(tableId)
+        expect(res).toEqual({
+          permissions: {
+            read: { permissionType: "EXPLICIT", role: STD_ROLE_ID },
+            write: { permissionType: "EXPLICIT", role: HIGHER_ROLE_ID },
+          },
+        })
+
+        const allRes = await request
+          .get(`/api/permission`)
+          .set(config.defaultHeaders())
+          .expect("Content-Type", /json/)
+          .expect(200)
+        expect(allRes.body[tableId]["read"]).toEqual(STD_ROLE_ID)
+        expect(allRes.body[tableId]["write"]).toEqual(HIGHER_ROLE_ID)
+      })
+    })
+
+    describe("remove", () => {
+      it("should be able to remove the permission", async () => {
+        await config.api.permission.revoke({
+          roleId: STD_ROLE_ID,
+          resourceId: tableId,
+          level: PermissionLevel.READ,
+        })
+
+        const permsRes = await config.api.permission.get(tableId)
+        expect(permsRes.permissions[STD_ROLE_ID]).toBeUndefined()
+      })
+    })
+
+    describe("check public user allowed", () => {
+      let viewId: string
+      let row: Row
+
+      beforeEach(async () => {
+        const view = await config.api.viewV2.create({
+          tableId,
+          name: generator.guid(),
+        })
+        viewId = view.id
+        row = await config.createRow()
+      })
+
+      it("should be able to read the row", async () => {
+        // replicate changes before checking permissions
+        await config.publish()
+
+        const res = await request
+          .get(`/api/${tableId}/rows`)
+          .set(config.publicHeaders())
+          .expect("Content-Type", /json/)
+          .expect(200)
+        expect(res.body[0]._id).toEqual(row._id)
+      })
+
+      it("should be able to access the view data when the table is set to public and with no view permissions overrides", async () => {
+        // Make view inherit table permissions. Needed for backwards compatibility with existing views.
+        await config.api.permission.revoke({
+          roleId: STD_ROLE_ID,
+          resourceId: viewId,
+          level: PermissionLevel.READ,
+        })
+
+        // replicate changes before checking permissions
+        await config.publish()
+
+        const res = await config.api.viewV2.publicSearch(viewId)
+        expect(res.rows[0]._id).toEqual(row._id)
+      })
+
+      it("should not be able to access the view data when the table is not public and there are no view permissions overrides", async () => {
+        await config.api.permission.revoke({
+          roleId: STD_ROLE_ID,
+          resourceId: tableId,
+          level: PermissionLevel.READ,
+        })
+
+        // Make view inherit table permissions. Needed for backwards compatibility with existing views.
+        await config.api.permission.revoke({
+          roleId: STD_ROLE_ID,
+          resourceId: viewId,
+          level: PermissionLevel.READ,
+        })
+
+        // replicate changes before checking permissions
+        await config.publish()
+
+        await config.api.viewV2.publicSearch(viewId, undefined, {
+          status: 401,
+        })
+      })
+
+      it("should use the view permissions", async () => {
+        await config.api.permission.add({
+          roleId: STD_ROLE_ID,
+          resourceId: viewId,
+          level: PermissionLevel.READ,
+        })
+        await config.api.permission.revoke({
+          roleId: STD_ROLE_ID,
+          resourceId: tableId,
+          level: PermissionLevel.READ,
+        })
+        // replicate changes before checking permissions
+        await config.publish()
+
+        const res = await config.api.viewV2.publicSearch(viewId)
+        expect(res.rows[0]._id).toEqual(row._id)
+      })
+
+      it("shouldn't allow writing from a public user", async () => {
+        const res = await request
+          .post(`/api/${tableId}/rows`)
+          .send(basicRow(tableId))
+          .set(config.publicHeaders())
+          .expect("Content-Type", /json/)
+          .expect(401)
+        expect(res.status).toEqual(401)
+      })
+    })
+  })
+
+  describe("view permissions", () => {
+    let tableId: string
+    let viewId: string
+
+    beforeEach(async () => {
+      const table = await config.createTable()
+      tableId = table._id!
+
+      const view = await config.api.viewV2.create({
+        tableId,
+        name: generator.guid(),
+      })
+      viewId = view.id
+    })
+
+    it("default permissions inherits and persists the table default value", async () => {
+      const { permissions } = await config.api.permission.get(viewId)
+      expect(permissions).toEqual({
+        read: {
+          permissionType: "EXPLICIT",
+          role: DEFAULT_TABLE_ROLE_ID,
+          inheritablePermission: DEFAULT_TABLE_ROLE_ID,
+        },
+        write: {
+          permissionType: "EXPLICIT",
+          role: DEFAULT_TABLE_ROLE_ID,
+          inheritablePermission: DEFAULT_TABLE_ROLE_ID,
+        },
+      })
+    })
+
+    it("does not update view permissions once persisted, even if table permissions change", async () => {
+      await config.api.permission.add({
+        roleId: STD_ROLE_ID,
+        resourceId: tableId,
+        level: PermissionLevel.READ,
+      })
+
+      const { permissions } = await config.api.permission.get(viewId)
+      expect(permissions).toEqual({
+        read: {
+          permissionType: "EXPLICIT",
+          role: DEFAULT_TABLE_ROLE_ID,
+          inheritablePermission: STD_ROLE_ID,
+        },
+        write: {
+          permissionType: "EXPLICIT",
+          role: DEFAULT_TABLE_ROLE_ID,
+          inheritablePermission: DEFAULT_TABLE_ROLE_ID,
+        },
+      })
+    })
+
+    it("can sets permissions inherits explicit view permissions", async () => {
+      await config.api.permission.add({
+        roleId: HIGHER_ROLE_ID,
+        resourceId: viewId,
+        level: PermissionLevel.WRITE,
+      })
+
+      const { permissions } = await config.api.permission.get(viewId)
+      expect(permissions).toEqual({
+        read: {
+          permissionType: "EXPLICIT",
+          role: DEFAULT_TABLE_ROLE_ID,
+          inheritablePermission: DEFAULT_TABLE_ROLE_ID,
+        },
+        write: {
+          permissionType: "EXPLICIT",
+          role: HIGHER_ROLE_ID,
+          inheritablePermission: DEFAULT_TABLE_ROLE_ID,
+        },
+      })
     })
   })
 

packages/server/src/migrations/tests/index.spec.ts

@@ -71,7 +71,7 @@ describe("migrations", () => {
         expect(events.datasource.created).toHaveBeenCalledTimes(2)
         expect(events.layout.created).toHaveBeenCalledTimes(1)
         expect(events.query.created).toHaveBeenCalledTimes(2)
-        expect(events.role.created).toHaveBeenCalledTimes(2)
+        expect(events.role.created).toHaveBeenCalledTimes(3) // created roles + admin (created on table creation)
         expect(events.table.created).toHaveBeenCalledTimes(3)
         expect(events.view.created).toHaveBeenCalledTimes(2)
         expect(events.view.calculationCreated).toHaveBeenCalledTimes(1)
@@ -82,7 +82,7 @@ describe("migrations", () => {
         // to make sure caching is working as expected
         expect(
           events.processors.analyticsProcessor.processEvent
-        ).toHaveBeenCalledTimes(23)
+        ).toHaveBeenCalledTimes(24) // Addtion of of the events above
       })
     })
   })

packages/server/src/sdk/app/permissions/index.ts

@@ -185,6 +185,26 @@ export async function updatePermissionOnRole(
   })
 }
 
+export async function setPermissions(
+  resourceId: string,
+  {
+    writeRole,
+    readRole,
+  }: {
+    writeRole: string
+    readRole: string
+  }
+) {
+  await updatePermissionOnRole(
+    { roleId: writeRole, resourceId, level: PermissionLevel.WRITE },
+    PermissionUpdateType.ADD
+  )
+  await updatePermissionOnRole(
+    { roleId: readRole, resourceId, level: PermissionLevel.READ },
+    PermissionUpdateType.ADD
+  )
+}
+
 // utility function to stop this repetition - permissions always stored under roles
 export async function getAllDBRoles(db: Database) {
   const body = await db.allDocs<Role>(

packages/server/src/sdk/app/tables/create.ts

@@ -3,6 +3,8 @@ import { Row, Table } from "@budibase/types"
 import * as external from "./external"
 import * as internal from "./internal"
 import { isExternal } from "./utils"
+import { setPermissions } from "../permissions"
+import { roles } from "@budibase/backend-core"
 
 export async function create(
   table: Omit<Table, "_id" | "_rev">,
@@ -15,5 +17,11 @@ export async function create(
   } else {
     createdTable = await internal.create(table, rows, userId)
   }
+
+  await setPermissions(createdTable._id!, {
+    writeRole: roles.BUILTIN_ROLE_IDS.ADMIN,
+    readRole: roles.BUILTIN_ROLE_IDS.ADMIN,
+  })
+
   return createdTable
 }

packages/server/src/sdk/app/views/index.ts

@@ -13,7 +13,7 @@ import {
   ViewV2ColumnEnriched,
   ViewV2Enriched,
 } from "@budibase/types"
-import { context, docIds, HTTPError, roles } from "@budibase/backend-core"
+import { context, docIds, HTTPError } from "@budibase/backend-core"
 import {
   helpers,
   PROTECTED_EXTERNAL_COLUMNS,
@@ -26,7 +26,6 @@ import { isExternalTableID } from "../../../integrations/utils"
 import * as internal from "./internal"
 import * as external from "./external"
 import sdk from "../../../sdk"
-import { PermissionUpdateType, updatePermissionOnRole } from "../permissions"
 
 function pickApi(tableId: any) {
   if (isExternalTableID(tableId)) {
@@ -247,24 +246,10 @@ export async function create(
 
   // Set permissions to be the same as the table
   const tablePerms = await sdk.permissions.getResourcePerms(tableId)
-  const readRole = tablePerms[PermissionLevel.READ]?.role
-  const writeRole = tablePerms[PermissionLevel.WRITE]?.role
-  await updatePermissionOnRole(
-    {
-      roleId: readRole || roles.BUILTIN_ROLE_IDS.BASIC,
-      resourceId: view.id,
-      level: PermissionLevel.READ,
-    },
-    PermissionUpdateType.ADD
-  )
-  await updatePermissionOnRole(
-    {
-      roleId: writeRole || roles.BUILTIN_ROLE_IDS.BASIC,
-      resourceId: view.id,
-      level: PermissionLevel.WRITE,
-    },
-    PermissionUpdateType.ADD
-  )
+  await sdk.permissions.setPermissions(view.id, {
+    writeRole: tablePerms[PermissionLevel.WRITE].role,
+    readRole: tablePerms[PermissionLevel.READ].role,
+  })
 
   return view
 }

packages/server/src/tests/utilities/api/permission.ts

@@ -1,6 +1,7 @@
 import {
   AddPermissionRequest,
   AddPermissionResponse,
+  FetchResourcePermissionInfoResponse,
   GetResourcePermsResponse,
   RemovePermissionRequest,
   RemovePermissionResponse,
@@ -26,6 +27,15 @@ export class PermissionAPI extends TestAPI {
     )
   }
 
+  fetch = async (
+    expectations?: Expectations
+  ): Promise<FetchResourcePermissionInfoResponse> => {
+    return await this._get<FetchResourcePermissionInfoResponse>(
+      `/api/permission`,
+      { expectations }
+    )
+  }
+
   revoke = async (
     request: RemovePermissionRequest,
     expectations?: Expectations

packages/server/src/utilities/security.ts

@@ -1,5 +1,6 @@
 import { permissions, roles } from "@budibase/backend-core"
 import { DocumentType, VirtualDocumentType } from "../db/utils"
+import { getDocumentType, getVirtualDocumentType } from "@budibase/types"
 
 export const CURRENTLY_SUPPORTED_LEVELS: string[] = [
   permissions.PermissionLevel.WRITE,
@@ -8,13 +9,16 @@ export const CURRENTLY_SUPPORTED_LEVELS: string[] = [
 ]
 
 export function getPermissionType(resourceId: string) {
-  const docType = Object.values(DocumentType).filter(docType =>
-    resourceId.startsWith(docType)
-  )[0]
-  switch (docType as DocumentType | VirtualDocumentType) {
+  const virtualDocType = getVirtualDocumentType(resourceId)
+  switch (virtualDocType) {
+    case VirtualDocumentType.VIEW:
+      return permissions.PermissionType.TABLE
+  }
+
+  const docType = getDocumentType(resourceId)
+  switch (docType) {
     case DocumentType.TABLE:
     case DocumentType.ROW:
-    case VirtualDocumentType.VIEW:
       return permissions.PermissionType.TABLE
     case DocumentType.AUTOMATION:
       return permissions.PermissionType.AUTOMATION
@@ -32,22 +36,25 @@ export function getPermissionType(resourceId: string) {
 /**
  *  works out the basic permissions based on builtin roles for a resource, using its ID
  */
-export function getBasePermissions(resourceId: string) {
+export function getBasePermissions(resourceId: string): Record<string, string> {
   const type = getPermissionType(resourceId)
-  const basePermissions: { [key: string]: string } = {}
+  const basePermissions: Record<string, string> = {}
   for (let [roleId, role] of Object.entries(roles.getBuiltinRoles())) {
     if (!role.permissionId) {
       continue
     }
+
     const perms = permissions.getBuiltinPermissionByID(role.permissionId)
     if (!perms) {
       continue
     }
+
     const typedPermission = perms.permissions.find(perm => perm.type === type)
-    if (
-      typedPermission &&
-      CURRENTLY_SUPPORTED_LEVELS.indexOf(typedPermission.level) !== -1
-    ) {
+    if (!typedPermission) {
+      continue
+    }
+
+    if (CURRENTLY_SUPPORTED_LEVELS.includes(typedPermission.level)) {
       const level = typedPermission.level
       basePermissions[level] = roles.lowerBuiltinRoleID(
         basePermissions[level],

packages/types/src/api/web/app/permission.ts

@@ -1,5 +1,9 @@
 import { PermissionLevel } from "../../../sdk"
 
+export interface FetchResourcePermissionInfoResponse {
+  [key: string]: Record<string, string>
+}
+
 export interface ResourcePermissionInfo {
   role: string
   permissionType: string
@@ -21,7 +25,7 @@ export interface AddedPermission {
   reason?: string
 }
 
-export type AddPermissionResponse = AddedPermission[]
+export interface AddPermissionResponse {}
 
 export interface AddPermissionRequest {
   roleId: string
@@ -30,4 +34,4 @@ export interface AddPermissionRequest {
 }
 
 export interface RemovePermissionRequest extends AddPermissionRequest {}
-export interface RemovePermissionResponse extends AddPermissionResponse {}
+export interface RemovePermissionResponse {}

packages/types/src/documents/document.ts

@@ -42,6 +42,17 @@ export enum DocumentType {
   ROW_ACTIONS = "ra",
 }
 
+// Because DocumentTypes can overlap, we need to make sure that we search
+// longest first to ensure we get the correct type.
+const sortedDocumentTypes = Object.values(DocumentType).sort(
+  (a, b) => b.length - a.length // descending
+)
+export function getDocumentType(id: string): DocumentType | undefined {
+  return sortedDocumentTypes.find(docType =>
+    id.startsWith(`${docType}${SEPARATOR}`)
+  )
+}
+
 // these are the core documents that make up the data, design
 // and automation sections of an app. This excludes any internal
 // rows as we shouldn't import data.
@@ -72,6 +83,19 @@ export enum VirtualDocumentType {
   ROW_ACTION = "row_action",
 }
 
+// Because VirtualDocumentTypes can overlap, we need to make sure that we search
+// longest first to ensure we get the correct type.
+const sortedVirtualDocumentTypes = Object.values(VirtualDocumentType).sort(
+  (a, b) => b.length - a.length // descending
+)
+export function getVirtualDocumentType(
+  id: string
+): VirtualDocumentType | undefined {
+  return sortedVirtualDocumentTypes.find(docType =>
+    id.startsWith(`${docType}${SEPARATOR}`)
+  )
+}
+
 export interface Document {
   _id?: string
   _rev?: string