From fe31f88cc8d4a01833c892921b05f474d51a1b8c Mon Sep 17 00:00:00 2001
From: Adria Navarro <adria@budibase.com>
Date: Wed, 10 Jul 2024 15:48:16 +0200
Subject: [PATCH] Add validation

---
 packages/server/src/api/routes/rowAction.ts         | 13 ++++++++++++-
 .../server/src/api/routes/tests/rowAction.spec.ts   | 13 +++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/packages/server/src/api/routes/rowAction.ts b/packages/server/src/api/routes/rowAction.ts
index 7bc50377b8..18a87cd677 100644
--- a/packages/server/src/api/routes/rowAction.ts
+++ b/packages/server/src/api/routes/rowAction.ts
@@ -2,10 +2,19 @@ import Router from "@koa/router"
 import * as rowActionController from "../controllers/rowAction"
 import { authorizedResource } from "../../middleware/authorized"
 
-import { permissions } from "@budibase/backend-core"
+import { middleware, permissions } from "@budibase/backend-core"
+import Joi from "joi"
 
 const { PermissionLevel, PermissionType } = permissions
 
+export function rowActionValidator() {
+  return middleware.joiValidator.body(
+    Joi.object({
+      name: Joi.string().required(),
+    })
+  )
+}
+
 const router: Router = new Router()
 
 // CRUD endpoints
@@ -18,11 +27,13 @@ router
   .post(
     "/api/tables/:tableId/actions",
     authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    rowActionValidator(),
     rowActionController.create
   )
   .put(
     "/api/tables/:tableId/actions/:actionId",
     authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    rowActionValidator(),
     rowActionController.update
   )
   .delete(
diff --git a/packages/server/src/api/routes/tests/rowAction.spec.ts b/packages/server/src/api/routes/tests/rowAction.spec.ts
index ac0bff4781..f372938b23 100644
--- a/packages/server/src/api/routes/tests/rowAction.spec.ts
+++ b/packages/server/src/api/routes/tests/rowAction.spec.ts
@@ -71,6 +71,19 @@ describe("/rowsActions", () => {
 
       expect(res).toEqual({})
     })
+
+    it("rejects with bad request when creating with no name", async () => {
+      const rowAction: CreateRowActionRequest = {
+        name: undefined as any,
+      }
+
+      await config.api.rowAction.save(table._id!, rowAction, {
+        status: 400,
+        body: {
+          message: 'Invalid body - "name" is required',
+        },
+      })
+    })
   })
 
   describe("find", () => {