58 lines
1.8 KiB
TypeScript
58 lines
1.8 KiB
TypeScript
import { Next } from "koa"
|
|
import { PermissionLevel, PermissionType, UserCtx } from "@budibase/types"
|
|
import { docIds } from "@budibase/backend-core"
|
|
import * as utils from "../db/utils"
|
|
import sdk from "../sdk"
|
|
import { authorizedResource } from "./authorized"
|
|
|
|
export function triggerRowActionAuthorised(
|
|
sourcePath: string,
|
|
actionPath: string
|
|
) {
|
|
return async (ctx: UserCtx, next: Next) => {
|
|
async function getResourceIds() {
|
|
const sourceId: string = ctx.params[sourcePath]
|
|
const rowActionId: string = ctx.params[actionPath]
|
|
|
|
const isTableId = docIds.isTableId(sourceId)
|
|
const isViewId = docIds.isViewId(sourceId)
|
|
if (!isTableId && !isViewId) {
|
|
ctx.throw(400, `'${sourceId}' is not a valid source id`)
|
|
}
|
|
|
|
const tableId = isTableId
|
|
? sourceId
|
|
: utils.extractViewInfoFromID(sourceId).tableId
|
|
const viewId = isTableId ? undefined : sourceId
|
|
return { tableId, viewId, rowActionId }
|
|
}
|
|
|
|
const { tableId, viewId, rowActionId } = await getResourceIds()
|
|
|
|
// Check if the user has permissions to the table/view
|
|
await authorizedResource(
|
|
!viewId ? PermissionType.TABLE : PermissionType.VIEW,
|
|
PermissionLevel.READ,
|
|
sourcePath
|
|
)(ctx, () => {})
|
|
|
|
// Check is the row action can run for the given view/table
|
|
const rowAction = await sdk.rowActions.get(tableId, rowActionId)
|
|
if (!viewId && !rowAction.permissions.table.runAllowed) {
|
|
ctx.throw(
|
|
403,
|
|
`Row action '${rowActionId}' is not enabled for table '${tableId}'`
|
|
)
|
|
} else if (viewId && !rowAction.permissions.views[viewId]?.runAllowed) {
|
|
ctx.throw(
|
|
403,
|
|
`Row action '${rowActionId}' is not enabled for view '${viewId}'`
|
|
)
|
|
}
|
|
|
|
// Enrich tableId
|
|
ctx.params.tableId = tableId
|
|
return next()
|
|
}
|
|
}
|