Updating a few core endpoints to better integrate the groups system and make sure users always have the correct role ID updated onto them.

2022-09-22 18:27:43 +01:00 · 2022-09-22 18:27:43 +01:00 · e3f054470a
parent 429a89159c
commit e3f054470a
4 changed files with 28 additions and 8 deletions
--- a/packages/backend-core/src/security/roles.js
+++ b/packages/backend-core/src/security/roles.js
@ -78,7 +78,7 @@ function isBuiltin(role) {
 */
 exports.builtinRoleToNumber = id => {
  const builtins = exports.getBuiltinRoles()
-  const MAX = Object.values(BUILTIN_IDS).length + 1
+  const MAX = Object.values(builtins).length + 1
  if (id === BUILTIN_IDS.ADMIN || id === BUILTIN_IDS.BUILDER) {
    return MAX
  }
@ -94,6 +94,22 @@ exports.builtinRoleToNumber = id => {
  return count
 }

+/**
+ * Converts any role to a number, but has to be async to get the roles from db.
+ */
+exports.roleToNumber = async id => {
+  if (exports.isBuiltin(id)) {
+    return exports.builtinRoleToNumber(id)
+  }
+  const hierarchy = await exports.getUserRoleHierarchy(id)
+  for (let role of hierarchy) {
+    if (isBuiltin(role.inherits)) {
+      return exports.builtinRoleToNumber(role.inherits) + 1
+    }
+  }
+  return 0
+}
+
 /**
 * Returns whichever builtin roleID is lower.
 */
@ -172,7 +188,7 @@ async function getAllUserRoles(userRoleId) {
 * to determine if a user can access something that requires a specific role.
 * @param {string} userRoleId The user's role ID, this can be found in their access token.
 * @param {object} opts Various options, such as whether to only retrieve the IDs (default true).
- * @returns {Promise<string[]>} returns an ordered array of the roles, with the first being their
+ * @returns {Promise<string[]|object[]>} returns an ordered array of the roles, with the first being their
 * highest level of access and the last being the lowest level.
 */
 exports.getUserRoleHierarchy = async (userRoleId, opts = { idOnly: true }) => {
--- a/packages/server/src/middleware/authorized.ts
+++ b/packages/server/src/middleware/authorized.ts
@ -52,9 +52,9 @@ const checkAuthorizedResource = async (
 ) => {
  // get the user's roles
  const roleId = ctx.roleId || BUILTIN_ROLE_IDS.PUBLIC
-  const userRoles = await getUserRoleHierarchy(roleId, {
+  const userRoles = (await getUserRoleHierarchy(roleId, {
    idOnly: false,
-  })
+  })) as { _id: string }[]
  const permError = "User does not have permission"
  // check if the user has the required role
  if (resourceRoles.length > 0) {
--- a/packages/server/src/utilities/global.js
+++ b/packages/server/src/utilities/global.js
@ -43,9 +43,10 @@ exports.updateAppRole = (user, { appId } = {}) => {
 }

 async function checkGroupRoles(user, { appId } = {}) {
-  let roleId = await groups.getGroupRoleId(user, appId)
-  user.roleId = roleId
-
+  if (user.roleId && user.roleId !== BUILTIN_ROLE_IDS.PUBLIC) {
+    return user
+  }
+  user.roleId = await groups.getGroupRoleId(user, appId)
  return user
 }

--- a/packages/worker/src/api/controllers/global/self.ts
+++ b/packages/worker/src/api/controllers/global/self.ts
@ -10,6 +10,8 @@ import {
  encryption,
 } from "@budibase/backend-core"
 import env from "../../../environment"
+import { groups } from "@budibase/pro"
+import { enrichUserRolesFromGroups } from "../../../../../../../budibase-pro/packages/pro/src/sdk/groups"
 const { hash, platformLogout, getCookie, clearCookie, newid } = utils
 const { user: userCache } = cache

@ -115,7 +117,8 @@ export async function getSelf(ctx: any) {
  checkCurrentApp(ctx)

  // get the main body of the user
-  ctx.body = await users.getUser(userId)
+  const user = await users.getUser(userId)
+  ctx.body = await groups.enrichUserRolesFromGroups(user)

  // add the feature flags for this tenant
  const tenantId = tenancy.getTenantId()