Merge branch 'master' into feat/pick-relationship-fields

jrgochan · Sep 3, 2024 · 3cee97a · 3cee97a
2 parents fc3684c + 66fdf03
commit 3cee97a
Show file tree

Hide file tree

Showing 19 changed files with 1,209 additions and 434 deletions.
diff --git a/packages/backend-core/src/docIds/params.ts b/packages/backend-core/src/docIds/params.ts
@@ -71,7 +71,7 @@ export function getQueryIndex(viewName: ViewName) {
 export const isTableId = (id: string) => {
   // this includes datasource plus tables
   return (
-    id &&
+    !!id &&
     (id.startsWith(`${DocumentType.TABLE}${SEPARATOR}`) ||
       id.startsWith(`${DocumentType.DATASOURCE_PLUS}${SEPARATOR}`))
   )

diff --git a/packages/server/src/api/controllers/rowAction/crud.ts b/packages/server/src/api/controllers/rowAction/crud.ts
@@ -26,7 +26,7 @@ export async function find(ctx: Ctx<void, RowActionsResponse>) {
     return
   }
 
-  const { actions } = await sdk.rowActions.get(table._id!)
+  const { actions } = await sdk.rowActions.getAll(table._id!)
   const result: RowActionsResponse = {
     actions: Object.entries(actions).reduce<Record<string, RowActionResponse>>(
       (acc, [key, action]) => ({
@@ -36,6 +36,7 @@ export async function find(ctx: Ctx<void, RowActionsResponse>) {
           tableId: table._id!,
           name: action.name,
           automationId: action.automationId,
+          allowedViews: flattenAllowedViews(action.permissions.views),
         },
       }),
       {}
@@ -58,6 +59,7 @@ export async function create(
     id: createdAction.id,
     name: createdAction.name,
     automationId: createdAction.automationId,
+    allowedViews: undefined,
   }
   ctx.status = 201
 }
@@ -77,6 +79,7 @@ export async function update(
     id: action.id,
     name: action.name,
     automationId: action.automationId,
+    allowedViews: undefined,
   }
 }
 
@@ -87,3 +90,53 @@ export async function remove(ctx: Ctx<void, void>) {
   await sdk.rowActions.remove(table._id!, actionId)
   ctx.status = 204
 }
+
+export async function setViewPermission(ctx: Ctx<void, RowActionResponse>) {
+  const table = await getTable(ctx)
+  const { actionId, viewId } = ctx.params
+
+  const action = await sdk.rowActions.setViewPermission(
+    table._id!,
+    actionId,
+    viewId
+  )
+  ctx.body = {
+    tableId: table._id!,
+    id: action.id,
+    name: action.name,
+    automationId: action.automationId,
+    allowedViews: flattenAllowedViews(action.permissions.views),
+  }
+}
+
+export async function unsetViewPermission(ctx: Ctx<void, RowActionResponse>) {
+  const table = await getTable(ctx)
+  const { actionId, viewId } = ctx.params
+
+  const action = await sdk.rowActions.unsetViewPermission(
+    table._id!,
+    actionId,
+    viewId
+  )
+
+  ctx.body = {
+    tableId: table._id!,
+    id: action.id,
+    name: action.name,
+    automationId: action.automationId,
+    allowedViews: flattenAllowedViews(action.permissions.views),
+  }
+}
+
+function flattenAllowedViews(
+  permissions: Record<string, { runAllowed: boolean }>
+) {
+  const allowedPermissions = Object.entries(permissions || {})
+    .filter(([_, p]) => p.runAllowed)
+    .map(([viewId]) => viewId)
+  if (!allowedPermissions.length) {
+    return undefined
+  }
+
+  return allowedPermissions
+}
diff --git a/packages/server/src/api/routes/rowAction.ts b/packages/server/src/api/routes/rowAction.ts
@@ -2,9 +2,10 @@ import Router from "@koa/router"
 import Joi from "joi"
 import { middleware, permissions } from "@budibase/backend-core"
 import * as rowActionController from "../controllers/rowAction"
-import { authorizedResource } from "../../middleware/authorized"
+import authorized from "../../middleware/authorized"
+import { triggerRowActionAuthorised } from "../../middleware/triggerRowActionAuthorised"
 
-const { PermissionLevel, PermissionType } = permissions
+const { BUILDER } = permissions
 
 function rowActionValidator() {
   return middleware.joiValidator.body(
@@ -30,32 +31,42 @@ const router: Router = new Router()
 router
   .get(
     "/api/tables/:tableId/actions",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
     rowActionController.find
   )
   .post(
     "/api/tables/:tableId/actions",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
     rowActionValidator(),
     rowActionController.create
   )
   .put(
     "/api/tables/:tableId/actions/:actionId",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
     rowActionValidator(),
     rowActionController.update
   )
   .delete(
     "/api/tables/:tableId/actions/:actionId",
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    authorized(BUILDER),
     rowActionController.remove
   )
+  .post(
+    "/api/tables/:tableId/actions/:actionId/permissions/:viewId",
+    authorized(BUILDER),
+    rowActionController.setViewPermission
+  )
+  .delete(
+    "/api/tables/:tableId/actions/:actionId/permissions/:viewId",
+    authorized(BUILDER),
+    rowActionController.unsetViewPermission
+  )
 
   // Other endpoints
   .post(
-    "/api/tables/:tableId/actions/:actionId/trigger",
+    "/api/tables/:sourceId/actions/:actionId/trigger",
     rowTriggerValidator(),
-    authorizedResource(PermissionType.TABLE, PermissionLevel.READ, "tableId"),
+    triggerRowActionAuthorised("sourceId", "actionId"),
     rowActionController.run
   )