budibase/packages/server/src/api/controllers/permission.js

const {
  BUILTIN_PERMISSIONS,
  PermissionLevels,
  higherPermission,
} = require("../../utilities/security/permissions")
const { getRoleParams } = require("../../db/utils")
const CouchDB = require("../../db")

const PermissionUpdateType = {
  REMOVE: "remove",
  ADD: "add",
}

async function updatePermissionOnRole(
  appId,
  { roleId, resourceId, level },
  updateType
) {
  const db = new CouchDB(appId)
  const remove = updateType === PermissionUpdateType.REMOVE
  const body = await db.allDocs(
    getRoleParams(null, {
      include_docs: true,
    })
  )
  const dbRoles = body.rows.map(row => row.doc)
  const docUpdates = []

  // now try to find any roles which need updated, e.g. removing the
  // resource from another role and then adding to the new role
  for (let role of dbRoles) {
    let updated = false
    const rolePermissions = role.permissions ? role.permissions : {}
    // handle the removal/updating the role which has this permission first
    // the updating (role._id !== roleId) is required because a resource/level can
    // only be permitted in a single role (this reduces hierarchy confusion and simplifies
    // the general UI for this, rather than needing to show everywhere it is used)
    if (
      (role._id !== roleId || remove) &&
      rolePermissions[resourceId] === level
    ) {
      delete rolePermissions[resourceId]
      updated = true
    }
    // handle the adding, we're on the correct role, at it to this
    if (!remove && role._id === roleId) {
      rolePermissions[resourceId] = level
      updated = true
    }
    // handle the update, add it to bulk docs to perform at end
    if (updated) {
      role.permissions = rolePermissions
      docUpdates.push(role)
    }
  }

  return db.bulkDocs(docUpdates)
}

exports.fetchBuiltin = function(ctx) {
  ctx.body = Object.values(BUILTIN_PERMISSIONS)
}

exports.fetchLevels = function(ctx) {
  // for now only provide the read/write perms externally
  ctx.body = [PermissionLevels.WRITE, PermissionLevels.READ]
}

exports.getResourcePerms = async function(ctx) {
  const resourceId = ctx.params.resourceId
  const db = new CouchDB(ctx.appId)
  const body = await db.allDocs(
    getRoleParams(null, {
      include_docs: true,
    })
  )
  const roles = body.rows.map(row => row.doc)
  const resourcePerms = {}
  for (let role of roles) {
    // update the various roleIds in the resource permissions
    if (role.permissions && role.permissions[resourceId]) {
      resourcePerms[role._id] = higherPermission(
        resourcePerms[role._id],
        role.permissions[resourceId]
      )
    }
  }
  ctx.body = resourcePerms
}

exports.addPermission = async function(ctx) {
  ctx.body = await updatePermissionOnRole(
    ctx.appId,
    ctx.params,
    PermissionUpdateType.ADD
  )
}

exports.removePermission = async function(ctx) {
  ctx.body = await updatePermissionOnRole(
    ctx.appId,
    ctx.params,
    PermissionUpdateType.REMOVE
  )
}
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`const {`
			`BUILTIN_PERMISSIONS,`
			`PermissionLevels,`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`higherPermission,`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`} = require("../../utilities/security/permissions")`
Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`const { getRoleParams } = require("../../db/utils")`
			`const CouchDB = require("../../db")`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`const PermissionUpdateType = {`
			`REMOVE: "remove",`
			`ADD: "add",`
			`}`

Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`async function updatePermissionOnRole(`
			`appId,`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`{ roleId, resourceId, level },`
			`updateType`
Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`) {`
			`const db = new CouchDB(appId)`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`const remove = updateType === PermissionUpdateType.REMOVE`
Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`const body = await db.allDocs(`
			`getRoleParams(null, {`
			`include_docs: true,`
			`})`
			`)`
			`const dbRoles = body.rows.map(row => row.doc)`
			`const docUpdates = []`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00
Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`// now try to find any roles which need updated, e.g. removing the`
			`// resource from another role and then adding to the new role`
			`for (let role of dbRoles) {`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`let updated = false`
			`const rolePermissions = role.permissions ? role.permissions : {}`
			`// handle the removal/updating the role which has this permission first`
			`// the updating (role._id !== roleId) is required because a resource/level can`
			`// only be permitted in a single role (this reduces hierarchy confusion and simplifies`
			`// the general UI for this, rather than needing to show everywhere it is used)`
			`if (`
			`(role._id !== roleId \|\| remove) &&`
			`rolePermissions[resourceId] === level`
			`) {`
			`delete rolePermissions[resourceId]`
			`updated = true`
			`}`
			`// handle the adding, we're on the correct role, at it to this`
			`if (!remove && role._id === roleId) {`
			`rolePermissions[resourceId] = level`
			`updated = true`
			`}`
			`// handle the update, add it to bulk docs to perform at end`
			`if (updated) {`
			`role.permissions = rolePermissions`
			`docUpdates.push(role)`
Further work, need to have a larger think about the API of this. 2021-02-06 07:46:15 +13:00			`}`
			`}`

Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`return db.bulkDocs(docUpdates)`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`}`

			`exports.fetchBuiltin = function(ctx) {`
Changing the role system to have permissions integrated rather than the permissions being per user. 2020-12-03 06:08:25 +13:00			`ctx.body = Object.values(BUILTIN_PERMISSIONS)`
			`}`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00
			`exports.fetchLevels = function(ctx) {`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`// for now only provide the read/write perms externally`
			`ctx.body = [PermissionLevels.WRITE, PermissionLevels.READ]`
			`}`

			`exports.getResourcePerms = async function(ctx) {`
			`const resourceId = ctx.params.resourceId`
			`const db = new CouchDB(ctx.appId)`
			`const body = await db.allDocs(`
			`getRoleParams(null, {`
			`include_docs: true,`
			`})`
			`)`
			`const roles = body.rows.map(row => row.doc)`
			`const resourcePerms = {}`
			`for (let role of roles) {`
			`// update the various roleIds in the resource permissions`
			`if (role.permissions && role.permissions[resourceId]) {`
			`resourcePerms[role._id] = higherPermission(`
			`resourcePerms[role._id],`
			`role.permissions[resourceId]`
			`)`
			`}`
			`}`
			`ctx.body = resourcePerms`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`}`

			`exports.addPermission = async function(ctx) {`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`ctx.body = await updatePermissionOnRole(`
			`ctx.appId,`
			`ctx.params,`
			`PermissionUpdateType.ADD`
			`)`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`}`

			`exports.removePermission = async function(ctx) {`
Adding in resource IDs everywhere they should be accessible. 2021-02-09 06:22:07 +13:00			`ctx.body = await updatePermissionOnRole(`
			`ctx.appId,`
			`ctx.params,`
			`PermissionUpdateType.REMOVE`
			`)`
Initial work towards rbac. 2021-02-06 04:58:25 +13:00			`}`