Re-writing APIs based on most recent discussion about RBAC and per app builders.

2023-07-24 18:29:46 +01:00 · 2023-07-24 18:29:46 +01:00 · d9c8e26f65
parent c375f860ba
commit d9c8e26f65
4 changed files with 64 additions and 15 deletions
--- a/packages/types/src/api/web/user.ts
+++ b/packages/types/src/api/web/user.ts
@ -85,10 +85,3 @@ export interface AcceptUserInviteResponse {
 export interface SyncUserRequest {
  previousUser?: User
 }
-
-export interface AddAppBuilderRequest {
-  userId: string
-  appId: string
-}
-
-export interface RemoveAppBuilderRequest {}
--- a/packages/types/src/documents/global/user.ts
+++ b/packages/types/src/documents/global/user.ts
@ -43,6 +43,7 @@ export interface User extends Document {
  roles: UserRoles
  builder?: {
    global?: boolean
+    appBuilder?: boolean
    apps?: string[]
  }
  admin?: {
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@ -8,8 +8,6 @@ import env from "../../../environment"
 import {
  AcceptUserInviteRequest,
  AcceptUserInviteResponse,
-  AddAppBuilderRequest,
-  RemoveAppBuilderRequest,
  BulkUserRequest,
  BulkUserResponse,
  CloudAccount,
@ -32,6 +30,7 @@ import {
  tenancy,
  platform,
  ErrorCode,
+  db as dbCore,
 } from "@budibase/backend-core"
 import { checkAnyUserExists } from "../../../utilities/users"
 import { isEmailConfigured } from "../../../utilities/email"
@ -434,8 +433,57 @@ export const inviteAccept = async (
  }
 }

-export const addAppBuilder = async (ctx: Ctx<AddAppBuilderRequest, void>) => {}
+export const grantAppBuilder = async (ctx: Ctx) => {
+  const { userId } = ctx.params
+  const user = await userSdk.getUser(userId)
+  if (!user.builder) {
+    user.builder = {}
+  }
+  user.builder.appBuilder = true
+  await userSdk.save(user, { hashPassword: false })
+  ctx.body = { message: `User "${user.email}" granted app builder permissions` }
+}

-export const removeAppBuilder = async (
-  ctx: Ctx<RemoveAppBuilderRequest, void>
-) => {}
+export const addAppBuilder = async (ctx: Ctx) => {
+  const { userId, appId } = ctx.params
+  const user = await userSdk.getUser(userId)
+  if (!user.builder?.global || user.admin?.global) {
+    ctx.body = { message: "User already admin - no permissions updated." }
+    return
+  }
+  if (!user.builder?.appBuilder) {
+    ctx.throw(
+      400,
+      "Unable to update access, user must be granted app builder permissions."
+    )
+  }
+  const prodAppId = dbCore.getProdAppID(appId)
+  if (!user.builder.apps) {
+    user.builder.apps = []
+  }
+  user.builder.apps.push(prodAppId)
+  await userSdk.save(user, { hashPassword: false })
+  ctx.body = { message: `User "${user.email}" app builder access updated.` }
+}
+
+export const removeAppBuilder = async (ctx: Ctx) => {
+  const { userId, appId } = ctx.params
+  const user = await userSdk.getUser(userId)
+  if (!user.builder?.global || user.admin?.global) {
+    ctx.body = { message: "User already admin - no permissions removed." }
+    return
+  }
+  if (!user.builder?.appBuilder) {
+    ctx.throw(
+      400,
+      "Unable to update access, user must be granted app builder permissions."
+    )
+  }
+  const prodAppId = dbCore.getProdAppID(appId)
+  const indexOf = user.builder?.apps?.indexOf(prodAppId)
+  if (indexOf && indexOf !== -1) {
+    user.builder.apps = user.builder.apps!.splice(indexOf, 1)
+  }
+  await userSdk.save(user, { hashPassword: false })
+  ctx.body = { message: `User "${user.email}" app builder access removed.` }
+}
--- a/packages/worker/src/api/routes/global/users.ts
+++ b/packages/worker/src/api/routes/global/users.ts
@ -122,6 +122,15 @@ router
    buildAdminInitValidation(),
    controller.adminUser
  )
+  .post("/api/global/users/:userId/app/builder", controller.grantAppBuilder)
+  .patch(
+    "/api/global/users/:userId/app/:appId/builder",
+    controller.addAppBuilder
+  )
+  .delete(
+    "/api/global/users/:userId/app/:appId/builder",
+    controller.removeAppBuilder
+  )
  .get("/api/global/users/tenant/:id", controller.tenantUserLookup)
  // global endpoint but needs to come at end (blocks other endpoints otherwise)
  .get("/api/global/users/:id", auth.builderOrAdmin, controller.find)
@ -132,7 +141,5 @@ router
    users.buildUserSaveValidation(),
    selfController.updateSelf
  )
-  .post("/api/global/users/builder", controller.addAppBuilder)
-  .delete("/api/global/users/builder", controller.removeAppBuilder)

 export default router