budibase/packages/server/src/api/controllers/permission.js

const {
  BUILTIN_PERMISSIONS,
  PermissionLevels,
  PermissionTypes,
  higherPermission,
  getBuiltinPermissionByID,
  isPermissionLevelHigherThanRead,
} = require("../../utilities/security/permissions")
const {
  isBuiltin,
  getDBRoleID,
  getExternalRoleID,
  lowerBuiltinRoleID,
  BUILTIN_ROLES,
} = require("../../utilities/security/roles")
const { getRoleParams, DocumentTypes } = require("../../db/utils")
const CouchDB = require("../../db")
const { cloneDeep } = require("lodash/fp")

const PermissionUpdateType = {
  REMOVE: "remove",
  ADD: "add",
}

const SUPPORTED_LEVELS = [PermissionLevels.WRITE, PermissionLevels.READ]

function getPermissionType(resourceId) {
  const docType = DocumentTypes.filter(docType =>
    resourceId.startsWith(docType)
  )[0]
  switch (docType) {
    case DocumentTypes.TABLE:
    case DocumentTypes.ROW:
      return PermissionTypes.TABLE
    case DocumentTypes.AUTOMATION:
      return PermissionTypes.AUTOMATION
    case DocumentTypes.WEBHOOK:
      return PermissionTypes.WEBHOOK
    case DocumentTypes.QUERY:
    case DocumentTypes.DATASOURCE:
      return PermissionTypes.QUERY
    default:
      // views don't have an ID, will end up here
      return PermissionTypes.VIEW
  }
}

async function getBasePermissions(resourceId) {
  const type = getPermissionType(resourceId)
  const permissions = {}
  for (let [roleId, role] of Object.entries(BUILTIN_ROLES)) {
    if (!role.permissionId) {
      continue
    }
    const perms = getBuiltinPermissionByID(role.permissionId)
    const typedPermission = perms.permissions.find(perm => perm.type === type)
    if (typedPermission) {
      const level = typedPermission.level
      permissions[level] = lowerBuiltinRoleID(permissions[level], roleId)
      if (isPermissionLevelHigherThanRead(level)) {
        permissions[PermissionLevels.READ] = lowerBuiltinRoleID(
          permissions[PermissionLevels.READ],
          roleId
        )
      }
    }
  }
  return permissions
}

// utility function to stop this repetition - permissions always stored under roles
async function getAllDBRoles(db) {
  const body = await db.allDocs(
    getRoleParams(null, {
      include_docs: true,
    })
  )
  return body.rows.map(row => row.doc)
}

async function updatePermissionOnRole(
  appId,
  { roleId, resourceId, level },
  updateType
) {
  const db = new CouchDB(appId)
  const remove = updateType === PermissionUpdateType.REMOVE
  const isABuiltin = isBuiltin(roleId)
  const dbRoleId = getDBRoleID(roleId)
  const dbRoles = await getAllDBRoles(db)
  const docUpdates = []

  // the permission is for a built in, make sure it exists
  if (isABuiltin && !dbRoles.some(role => role._id === dbRoleId)) {
    const builtin = cloneDeep(BUILTIN_ROLES[roleId])
    builtin._id = getDBRoleID(builtin._id)
    dbRoles.push(builtin)
  }

  // now try to find any roles which need updated, e.g. removing the
  // resource from another role and then adding to the new role
  for (let role of dbRoles) {
    let updated = false
    const rolePermissions = role.permissions ? role.permissions : {}
    // handle the removal/updating the role which has this permission first
    // the updating (role._id !== dbRoleId) is required because a resource/level can
    // only be permitted in a single role (this reduces hierarchy confusion and simplifies
    // the general UI for this, rather than needing to show everywhere it is used)
    if (
      (role._id !== dbRoleId || remove) &&
      rolePermissions[resourceId] === level
    ) {
      delete rolePermissions[resourceId]
      updated = true
    }
    // handle the adding, we're on the correct role, at it to this
    if (!remove && role._id === dbRoleId) {
      rolePermissions[resourceId] = level
      updated = true
    }
    // handle the update, add it to bulk docs to perform at end
    if (updated) {
      role.permissions = rolePermissions
      docUpdates.push(role)
    }
  }

  const response = await db.bulkDocs(docUpdates)
  return response.map(resp => {
    resp._id = getExternalRoleID(resp.id)
    delete resp.id
    return resp
  })
}

exports.fetchBuiltin = function(ctx) {
  ctx.body = Object.values(BUILTIN_PERMISSIONS)
}

exports.fetchLevels = function(ctx) {
  // for now only provide the read/write perms externally
  ctx.body = SUPPORTED_LEVELS
}

exports.fetch = async function(ctx) {
  const db = new CouchDB(ctx.appId)
  const roles = await getAllDBRoles(db)
  let permissions = {}
  // create an object with structure role ID -> resource ID -> level
  for (let role of roles) {
    if (role.permissions) {
      const roleId = getExternalRoleID(role._id)
      if (permissions[roleId] == null) {
        permissions[roleId] = {}
      }
      for (let [resource, level] of Object.entries(role.permissions)) {
        permissions[roleId][resource] = higherPermission(
          permissions[roleId][resource],
          level
        )
      }
    }
  }
  ctx.body = permissions
}

exports.getResourcePerms = async function(ctx) {
  const resourceId = ctx.params.resourceId
  const db = new CouchDB(ctx.appId)
  const body = await db.allDocs(
    getRoleParams(null, {
      include_docs: true,
    })
  )
  const roles = body.rows.map(row => row.doc)
  const resourcePerms = {}
  for (let level of SUPPORTED_LEVELS) {
    for (let role of roles)
    // update the various roleIds in the resource permissions
    if (role.permissions && role.permissions[resourceId]) {
      const roleId = getExternalRoleID(role._id)
      resourcePerms[level] = higherPermission(
        resourcePerms[roleId],
        role.permissions[resourceId]
      )
    }
  }
  ctx.body = resourcePerms
}

exports.addPermission = async function(ctx) {
  ctx.body = await updatePermissionOnRole(
    ctx.appId,
    ctx.params,
    PermissionUpdateType.ADD
  )
}

exports.removePermission = async function(ctx) {
  ctx.body = await updatePermissionOnRole(
    ctx.appId,
    ctx.params,
    PermissionUpdateType.REMOVE
  )
}
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`const {`
			`BUILTIN_PERMISSIONS,`
			`PermissionLevels,`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`PermissionTypes,`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`higherPermission,`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`getBuiltinPermissionByID,`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`isPermissionLevelHigherThanRead,`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`} = require("../../utilities/security/permissions")`
Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`const {`
			`isBuiltin,`
			`getDBRoleID,`
			`getExternalRoleID,`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`lowerBuiltinRoleID,`
Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`BUILTIN_ROLES,`
			`} = require("../../utilities/security/roles")`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`const { getRoleParams, DocumentTypes } = require("../../db/utils")`
Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`const CouchDB = require("../../db")`
Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`const { cloneDeep } = require("lodash/fp")`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`const PermissionUpdateType = {`
			`REMOVE: "remove",`
			`ADD: "add",`
			`}`

Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`const SUPPORTED_LEVELS = [PermissionLevels.WRITE, PermissionLevels.READ]`

			`function getPermissionType(resourceId) {`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`const docType = DocumentTypes.filter(docType =>`
			`resourceId.startsWith(docType)`
			`)[0]`
			`switch (docType) {`
			`case DocumentTypes.TABLE:`
			`case DocumentTypes.ROW:`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`return PermissionTypes.TABLE`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`case DocumentTypes.AUTOMATION:`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`return PermissionTypes.AUTOMATION`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`case DocumentTypes.WEBHOOK:`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`return PermissionTypes.WEBHOOK`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`case DocumentTypes.QUERY:`
			`case DocumentTypes.DATASOURCE:`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`return PermissionTypes.QUERY`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`default:`
			`// views don't have an ID, will end up here`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`return PermissionTypes.VIEW`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`}`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`}`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`async function getBasePermissions(resourceId) {`
			`const type = getPermissionType(resourceId)`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`const permissions = {}`
			`for (let [roleId, role] of Object.entries(BUILTIN_ROLES)) {`
			`if (!role.permissionId) {`
			`continue`
			`}`
			`const perms = getBuiltinPermissionByID(role.permissionId)`
			`const typedPermission = perms.permissions.find(perm => perm.type === type)`
			`if (typedPermission) {`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`const level = typedPermission.level`
			`permissions[level] = lowerBuiltinRoleID(permissions[level], roleId)`
			`if (isPermissionLevelHigherThanRead(level)) {`
			`permissions[PermissionLevels.READ] = lowerBuiltinRoleID(`
			`permissions[PermissionLevels.READ],`
			`roleId`
			`)`
			`}`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`}`
			`}`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`return permissions`
WIP - storing progress on RBAC changes. 2021-02-11 23:24:37 +13:00			`}`

Some more fixes after testing permissions a bit further. 2021-02-10 05:01:02 +13:00			`// utility function to stop this repetition - permissions always stored under roles`
			`async function getAllDBRoles(db) {`
			`const body = await db.allDocs(`
			`getRoleParams(null, {`
			`include_docs: true,`
			`})`
			`)`
			`return body.rows.map(row => row.doc)`
			`}`

Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`async function updatePermissionOnRole(`
			`appId,`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`{ roleId, resourceId, level },`
			`updateType`
Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`) {`
			`const db = new CouchDB(appId)`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`const remove = updateType === PermissionUpdateType.REMOVE`
Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`const isABuiltin = isBuiltin(roleId)`
			`const dbRoleId = getDBRoleID(roleId)`
Some more fixes after testing permissions a bit further. 2021-02-10 05:01:02 +13:00			`const dbRoles = await getAllDBRoles(db)`
Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`const docUpdates = []`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00
Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`// the permission is for a built in, make sure it exists`
			`if (isABuiltin && !dbRoles.some(role => role._id === dbRoleId)) {`
			`const builtin = cloneDeep(BUILTIN_ROLES[roleId])`
			`builtin._id = getDBRoleID(builtin._id)`
			`dbRoles.push(builtin)`
			`}`
Some more work and start of a test case towards resource permissions. 2021-02-09 07:30:30 +13:00
Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`// now try to find any roles which need updated, e.g. removing the`
			`// resource from another role and then adding to the new role`
			`for (let role of dbRoles) {`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`let updated = false`
			`const rolePermissions = role.permissions ? role.permissions : {}`
			`// handle the removal/updating the role which has this permission first`
Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`// the updating (role._id !== dbRoleId) is required because a resource/level can`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`// only be permitted in a single role (this reduces hierarchy confusion and simplifies`
			`// the general UI for this, rather than needing to show everywhere it is used)`
			`if (`
Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`(role._id !== dbRoleId \|\| remove) &&`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`rolePermissions[resourceId] === level`
			`) {`
			`delete rolePermissions[resourceId]`
			`updated = true`
			`}`
			`// handle the adding, we're on the correct role, at it to this`
Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`if (!remove && role._id === dbRoleId) {`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`rolePermissions[resourceId] = level`
			`updated = true`
			`}`
			`// handle the update, add it to bulk docs to perform at end`
			`if (updated) {`
			`role.permissions = rolePermissions`
			`docUpdates.push(role)`
Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`}`
			`}`

Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`const response = await db.bulkDocs(docUpdates)`
Fixing minor bug with permission add. 2021-02-10 02:14:23 +13:00			`return response.map(resp => {`
			`resp._id = getExternalRoleID(resp.id)`
			`delete resp.id`
			`return resp`
			`})`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`}`

			`exports.fetchBuiltin = function(ctx) {`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00			`ctx.body = Object.values(BUILTIN_PERMISSIONS)`
			`}`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00
			`exports.fetchLevels = function(ctx) {`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`// for now only provide the read/write perms externally`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`ctx.body = SUPPORTED_LEVELS`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`}`

Some more fixes after testing permissions a bit further. 2021-02-10 05:01:02 +13:00			`exports.fetch = async function(ctx) {`
			`const db = new CouchDB(ctx.appId)`
			`const roles = await getAllDBRoles(db)`
			`let permissions = {}`
			`// create an object with structure role ID -> resource ID -> level`
			`for (let role of roles) {`
			`if (role.permissions) {`
			`const roleId = getExternalRoleID(role._id)`
			`if (permissions[roleId] == null) {`
			`permissions[roleId] = {}`
			`}`
			`for (let [resource, level] of Object.entries(role.permissions)) {`
			`permissions[roleId][resource] = higherPermission(`
			`permissions[roleId][resource],`
			`level`
			`)`
			`}`
			`}`
			`}`
			`ctx.body = permissions`
			`}`

Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`exports.getResourcePerms = async function(ctx) {`
			`const resourceId = ctx.params.resourceId`
			`const db = new CouchDB(ctx.appId)`
			`const body = await db.allDocs(`
			`getRoleParams(null, {`
			`include_docs: true,`
			`})`
			`)`
			`const roles = body.rows.map(row => row.doc)`
			`const resourcePerms = {}`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`for (let level of SUPPORTED_LEVELS) {`
			`for (let role of roles)`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`// update the various roleIds in the resource permissions`
			`if (role.permissions && role.permissions[resourceId]) {`
Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`const roleId = getExternalRoleID(role._id)`
Some updates to RBAC backend, try to make switch to object support level -> roleID. 2021-02-12 02:29:15 +13:00			`resourcePerms[level] = higherPermission(`
Fixing issues with builtin roles living in the database as well as in code (easier to change in the future this way) - discovered by basic test case. 2021-02-10 02:01:45 +13:00			`resourcePerms[roleId],`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`role.permissions[resourceId]`
			`)`
			`}`
			`}`
			`ctx.body = resourcePerms`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`}`

			`exports.addPermission = async function(ctx) {`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`ctx.body = await updatePermissionOnRole(`
			`ctx.appId,`
			`ctx.params,`
			`PermissionUpdateType.ADD`
			`)`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`}`

			`exports.removePermission = async function(ctx) {`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`ctx.body = await updatePermissionOnRole(`
			`ctx.appId,`
			`ctx.params,`
			`PermissionUpdateType.REMOVE`
			`)`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`}`